CEH v8 Labs Module 03 Scanning Networks.pdf

CEH Lab Manual

S c a n n i n g N e t w o r k s

M o d u l e 0 3

M odule 03 - S can n in g N e tw o rk s

S c a n n i n g a T a r g e t N e t w o r kS c a n n in g a n e tw o rk re fe rs to a s e t o f p ro c e d u re s fo r id e n tify in g h o s ts , p o /ts , a n d

s e rv ic e s ru n n in g in a n e tw o rk .

L a b S c e n a r io

Vulnerability scanning determines the possibility of network security attacks. It evaluates the organization’s systems and network for vulnerabilities such as missing patches, unnecessary services, weak authentication, and weak encryption. Vulnerability scanning is a critical component of any penetration testing assignment. You need to conduct penetration testing and list die direats and vulnerabilities found in an organization’s network and perform port scan n in g , netw o rk scan n in g ,

and vu ln erab ility scan n in g ro identify IP/hostname, live hosts, and vulnerabilities.

L a b O b je c t iv e s

The objective of diis lab is to help students in conducting network scanning, analyzing die network vulnerabilities, and maintaining a secure network.

You need to perform a network scan to:

■ Check live systems and open ports

■ Perform banner grabbing and OS fingerprinting

■ Identify network vulnerabilities

■ Draw network diagrams of vulnerable hosts

L a b E n v ir o n m e n t

111 die lab, you need:

■ A computer running with W indow s S e rv e r 2012, W indow s S e rv e r 2008.

W indow s 8 or W indow s 7 with Internet access

■ A web browser

■ Admiiiistrative privileges to run tools and perform scans

L a b D u r a t io n

Time: 50 Minutes

O v e r v ie w o f S c a n n in g N e t w o r k s

Building on what we learned from our information gadiering and threat modeling, we can now begin to actively query our victims for vulnerabilities diat may lead to a compromise. We have narrowed down our attack surface considerably since we first began die penetration test with everydiing potentially in scope.

I C O N K E Y

Valuableinformation

s Test yourknowledge

H Web exercise

Q Workbook review

ZZ7 T o o ls d em o n strated in th is lab are a v a ilab le in

D:\CEH- T o ols\C EH v8 M odule 03 S ca n n in g N etw o rks

Eth ica l Hacking and Countermeasures Copyright © by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited.

C E H Lab M anual Page S5


Note that not all vulnerabilities will result in a system compromise. When searching for known vulnerabilities you will find more issues that disclose sensitive information or cause a denial of service condition than vulnerabilities that lead to remote code execution. These may still turn out to be very interesting on a penetration test. 111 fact even a seemingly harmless misconfiguration can be the nuiiing point in a penetration test that gives up the keys to the kingdom.

For example, consider FTP anonymous read access. This is a fairly normal setting. Though FTP is an insecure protocol and we should generally steer our clients towards using more secure options like SFTP, using FTP with anonymous read access does not by itself lead to a compromise. If you encounter an FTP server that allows anonymous read access, but read access is restricted to an FTP directory that does not contain any files that would be interesting to an attacker, then die risk associated with the anonymous read option is minimal. On die other hand, if you are able to read the entire file system using die anonymous FTP account, or possibly even worse, someone lias mistakenly left die customer's trade secrets in die FTP directory that is readable to die anonymous user; this configuration is a critical issue.

Vulnerability scanners do have their uses in a penetration test, and it is certainly useful to know your way around a few of diem. As we will see in diis module, using a vulnerability scanner can help a penetration tester quickly gain a good deal of potentially interesting information about an environment.

111 diis module we will look at several forms of vulnerability assessment. We will study some commonly used scanning tools.

L a b T a s k s

Pick an organization diat you feel is worthy of your attention. This could be an educational institution, a commercial company, or perhaps a nonprofit charity.

Recommended labs to assist you in scanning networks:

■ Scanning System and Network Resources Using A d v a n c e d IP S c a n n e r

■ Banner Grabbing to Determine a Remote Target System Using ID S e rv e

■ Fingerprint Open Ports for Running Applications Using the A m ap Tool

■ Monitor TCP/IP Connections Using die C u rrP o rts T o o l

■ Scan a Network for Vulnerabilities Using G F I L a n G u a rd 2 0 1 2

■ Explore and Audit a Network Using N m ap

■ Scanning a Network Using die N e tS c a n T o o ls Pro

■ Drawing Network Diagrams Using L A N S u rv e y o r

■ Mapping a Network Using the Fr ie n d ly P in g er

■ Scanning a Network Using die N e s s u s Tool

■ Auditing Scanning by Using G lo b a l N e tw o rk In ve n to ry

■ Anonymous Browsing Using P ro x y S w itc h e r

TASK 1

Overview

L_/ Ensure you haveready a copy of the additional readings handed out for this lab.

Eth ica l Hacking and Countermeasures Copyright © by EC-CouncilAB Rights Reserved. Reproduction is Strictly Prohibited.

C E H Lab M anual Page 86


■ Daisy Chaining Using P ro x y W o rk b e n ch

■ HTTP Tunneling Using H T T P o rt

■ Basic Network Troubleshooting Using the M egaP ing

■ Detect, Delete and Block Google Cookies Using G -Z ap p e r

■ Scanning the Network Using the C o la so ft P a c k e t B u ild e r

■ Scanning Devices in a Network Using T h e Dude

L a b A n a ly s is

Analyze and document die results related to die lab exercise. Give your opinion on your target’s security posture and exposure duough public and free information.

P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N SR E L A T E D T O T H I S L A B .




S c a n n i n g S y s t e m a n d N e t w o r k

R e s o u r c e s U s i n g A d v a n c e d I P

S c a n n e r-A d v a n c e d IP S c a n n e r is a fre e n e tiro rk s c a n n e r th a t g iv e s y o n v a rio u s ty p e s o f

in fo rm a tio n re g a rd in g lo c a l n e tiro rk c o m p u te rs .


111 this day and age, where attackers are able to wait for a single chance to attack an organization to disable it, it becomes very important to perform vulnerability scanning to find the flaws and vulnerabilities in a network and patch them before an attacker intrudes into the network. The goal of running a vulnerability scanner is to identify devices on your network that are open to known vulnerabilities.


The objective of this lab is to help students perform a local network scan and discover all the resources 011 die network.

You need to:

■ Perform a system and network scan

■ Enumerate user accounts

■ Execute remote penetration

■ Gather information about local network computers


111 die lab, you need:

■ Advanced IP Scanner located at Z:\\CEHv8 M odule 03 Scan n in g N etw o rks\Scan n ing T o o ls A d van ce d IP S ca n n e r

■ You can also download the latest version of A d v a n c e d IP S c a n n e r

from the link http://www.advanced-ip-scanner.com

I C O N K E Y

־=/ Valuableinformation

✓ Test yourknowledge

S Web exercise

C Q Workbook review

l— J T o o ls d em o n strated in th is lab are a v a ilab le in D:\CEH- T o ols\C EH v8 M odule 03 S ca n n in g N etw o rks

Q You can alsodownload Advanced IPScanner fromhttp:/1 www. advanced-ip-scanner.com.



http://www.advanced-ip-scanner.com


■ If you decide to download the la te s t v e rs io n , then screenshots shown in the lab might differ

■ A computer running W indow s 8 as die attacker (host machine)

■ Another computer running W indo w s se rv e r 2008 as die victim (virtual machine)

■ A web browser widi Internet a c c e s s

■ Double-click ip sca n 2 0 .m si and follow die wizard-driven installation steps to install Advanced IP Scanner

■ A d m in istrative privileges to run diis tool


Time: 20 Minutes

O v e r v ie w o f N e t w o r k S c a n n in g

Network scanning is performed to c o lle c t inform ation about live sy s te m s , open ports, and n etw o rk vu ln erab ilities. Gathered information is helpful in determining th re a ts and v u ln erab ilitie s 111 a network and to know whether there are any suspicious or unauthorized IP connections, which may enable data theft and cause damage to resources.

L a b T a s k s

1. Go to S ta rt by hovering die mouse cursor in die lower-left corner of die desktop

FIGURE 1.1: Windows 8 - Desktop view2. Click A d van ce d IP S ca n n e r from die S ta rt menu in die attacker machine

(Windows 8).

/ 7 Advanced IP Scanner works on Windows Server 2003/ Server 2008 and on Windows 7 (32 bit, 64 bit).

S T A S K 1

Launch in g A d van ced IP

S c a n n e r

Eth ica l Hacking and Countermeasures Copyright O by EC Coundl־A ll Rights Reserved. Reproduction is Strictly Prohibited



S t a r t Admin ^

Nc m

WinRAR MozillaFirefox

CommandPrompt

i t t

FngagoPacketbuilder

2*

Sports

Computer

tS

MicrosoftClipOrganizer

Advanced IP Scanner

m

i i i l i l i

finance

ControlPanel

Microsoft Office 2010 Upload...

•

FIGURE 12. Windows 8 - Apps3. The A d van ce d IP S c a n n e r main window appears.

FIGURE 13: The Advanced IP Scanner main window4. Now launch die Windows Server 2008 virtual machine (v ictim ’s m ach in e).


m With Advanced IP Scanner, you can scan hundreds of IP addresses simultaneously.

You can wake any machine remotely with Advanced IP Scanner, if the Wake-on־LAN feature is supported by your network card.



O jf f lc k 10:09 FM JiikFIGURE 1.4: The victim machine Windows server 2008

5. Now, switch back to die attacker machine (Windows 8) and enter an IP address range in die S e le c t range field.

6. Click die S c a n button to start die scan.

7. A d van ced IP S c a n n e r scans all die IP addresses within die range and displays the s c a n re su lts after completion.

L_/ You have to guess arange of IP address of victim machine.

a Radmin 2.x and 3.x Integration enable you to connect (if Radmin is installed) to remote computers with just one dick.

The status of scan is shown at the bottom left side of the window.

Eth ica l Hacking and Countermeasures Copyright O by EC Counc11־All Rights Reserved. Reproduction is Strictly Prohibited



Advanced IP Scanner

File Actions Settings View Heip

J► Scar' J l IP cr=£k=3 r f to d id 3? f i l : Like us on ■ 1 Facebook

10.0.0.1-10.0.0.10

MAC addressManufacturer

Resits | Favorites |

rStatus

0 w 10.0.0.1 10.0.a1 Nlctgear, Inc. 00:09:5B:AE:24CC

ט *£< WIN-MSSELCK4K41 10.0.a2 Dell Inc DO:67:ES:1A:16:36

® & WINDOWS# 10.0.03 Microsoft Corporation 00:15:5D: A8:6E:C6WIN*LXQN3WR3R9M 10.0.05 Microsoft Corporation 00:15:5D:A8:&E:03

® 15 WIN-D39MR5H19E4 10.0.07 Dell Inc D4:3E.-D9: C 3:CE:2D

5 a iv*, 0 d«J0, S unknown

FIGURE 1.6: The Advanced IP Scanner main window after scanning8. You can see in die above figure diat Advanced IP Scanner lias detected

die victim machine’s IP address and displays die status as alive

9. Right-click any of die detected IP addresses. It will list Wake-On-LAN. Shut down, and Abort Shut down

Advanced IP Scanner5־F ie Actions Settings View Helo

Like us on FacebookWi*sS:ip c u u *I IScan

10.0.0.1-10.0.0.10Resuts Favorites |

MAC addressto ru fa c tu re rnNameStatus

00:09:5B:AE:24CCD0t67:E5j1A:16«36 <U: A8:ofc:Otצ: 5 0:1□00:15:SD:A8:6E:03 CW:BE:D9:C3:CE:2D

Netgear. Inc

Microsoft Corporation M icrosoft CorporationDell Inc

10.0.011

!Add to ‘Favorites'

Rescan selected

Sive selected...

Wdke־On־LAN

Shut dcwn...

Abort shut dcwn

Radrnir

10.0.0.1IHLMItHMM, —WINDOWS8 t*p ore׳

WIN-LXQN3WR3 Copy WIN־D39MR5HL<

h i

5 alive. 0 dead, 5 unknown

FIGURE 1.7: The Advanced IP Scanner main window with Alive Host list10. The list displays properties of the detected computer, such as IP

address. Name, MAC, and NetBIOS information.

11. You can forcefully Shutdown, Reboot, and Abort Shutdown dieselected victim machine/IP address

Lists of computers saving and loading enable you to perform operations with a specific list of computers. Just save a list of machines you need and Advanced IP Scanner loads it at startup automatically.

m Group Operations: Any feature of Advanced IP Scanner can be used with any number of selected computers. For example, you can remotely shut down a complete computer class with a few dicks.

M T A S K 2

Extract Victim’s

IP Address Info

a Wake-on-LAN: You can wake any machine remotely with Advanced IP Scanner, if Wake-on-LAN feature is supported by your network card.

Eth ica l Hacking and Countermeasures Copyright O by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited



m״ s i *

Like us on Facebook

3MAC addressjrer

00;C9;5B:AE:24;CC D0:67:E5:1A:16:36

It ion 00:15:3C:A0:6C:06It ion 00:13:3D:A8:6E:03

D4:BE:D9:C3:CE:2D

S hutdow n op tio ns

r Use Vtindcms authentifcation

Jser narre:

9essMord:

rneoc t (sec): [60

Message:

I” Forced shjtdo/vn

f " Reooot

&

File Actions Settings View Help

Scan J!] .■ ]110.0.0.1-100.0.10

Results | Favorites |

Status Name

® a 1a0.0.1WIN-MSSELCK4K41WINDOW S

$WIN-LXQN3WR3R9M

» a WIN-D39MR5HL9E4

S alive, Odcad, 5 unknown

Winfingerprint Input Options:■ IP Range (Netmask and

Inverted Netmask supported) IP ListSmgle Host Neighborhood

FIGURE 1.8: The Advanced IP Scanner Computer properties window12. Now you have die IP address. Name, and other details of die victim

machine.

13. You can also try Angry IP scanner located at D:\CEH-Tools\CEHv8 Module 03 Scanning Networks\Ping Sweep Tools\Angry IP Scanner Italso scans the network for machines and ports.

L a b A n a ly s is

Document all die IP addresses, open ports and dieir running applications, and protocols discovered during die lab.

Tool/Utility Information Collected/Objectives Achieved

Advanced IP Scanner

Scan Information:■ IP address■ System name■ MAC address■ NetBIOS information■ Manufacturer■ System status





Q u e s t io n s

1. Examine and evaluate the IP addresses and range of IP addresses.

Internet Connection Required

es□ Y

Platform Supported

0 Classroom

0 No

0 iLabs

Eth ical Hacking and Countermeasures Copyright © by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited



B a n n e r G r a b b i n g t o D e t e r m i n e a

R e m o t e T a r g e t S y s t e m u s i n g ID

S e r v eID S S e rv e is u s e d to id e n tify th e m a k e , ///o d e /, a n d v e rs io n o f a n y w e b s ite 's s e rv e r

s o fh v a re .


111 die previous lab, you learned to use Advanced IP Scanner. This tool can also be used by an attacker to detect vulnerabilities such as buffer overflow, integer flow, SQL injection, and web application on a network. If these vulnerabilities are not fixed immediately, attackers can easily exploit them and crack into die network and cause server damage.

Therefore, it is extremely important for penetration testers to be familiar widi banner grabbing techniques to monitor servers to ensure compliance and appropriate security updates. Using this technique you can also locate rogue servers or determine die role of servers within a network. 111 diis lab, you will learn die banner grabbing technique to determine a remote target system using ID Serve.


The objective of diis lab is to help students learn to banner grabbing die website and discover applications running 011 diis website.

111 diis lab you will learn to:

■ Identify die domain IP address

■ Identify die domain information


To perform die lab you need:

■ ID Server is located at D :\C EH -T o o ls\C EH v 8 M odule 03 S ca n n in g

N e tw o rk s\B a n n e r G rab b in g To o ls\ID S e rv e

I C O N K E Y

Valuableinformation

y* Test yourknowledge

Web exercise

O Workbook review

O T o o ls d em o n strated in th is lab are a v a ilab le in D:\CEH- T o ols\C EH v8 M odule 03

S ca n n in g N etw o rks




■ You can also download the latest version of ID S e rv e from the link http: / / www.grc.com/id/idserve.htm


■ Double-click id se rv e to run ID S e rv e

■ Administrative privileges to run die ID S e rv e tool

■ Run this tool on W indow s S e rv e r 2012


Time: 5 Minutes

O v e r v ie w o f ID S e r v e

ID Serve can connect to any se rv e r port on any dom ain or IP address, then pulland display die server's greeting message, if any, often identifying die server's make,model, and versio n , whether it's for FT P , SMTP, POP, NEW’S, or anything else.

L a b T a s k s

1. Double-click id se rv e located at D:\CEH -Tools\CEH v8 M odule 03 S ca n n in g N etw o rks\B ann er G rabbing Tools\ID S erv e

2. 111 die main window of ID S e rv e show in die following figure, select die S e v e r Q uery tab

TASK 1

Identify w e b s ite se rv e r inform ation

׳ - r oID Serve0Internet Server Identification Utility, vl .02 Personal Security Freeware by Steve Gibson Copyright (c) 2003 by Gibson Research CorpID Serve

Background Server Query | Q&A/Help

Enter 01 copy / paste an Internet server URL 0* IP address here (example www rmcrosoft com)ri

When an Internet URL or IP has been provided above ^ press this button to rwtiate a query of the speahed serverQueiy The Serverr!

Server

The server identified <se* as4

E*itgoto ID Serve web pageCopy

If an IP address is entered instead of a URL, ID Serve will attempt to determine the domain name associated with the IP

FIGURE 21: Main window of ID Serve3. Enter die IP address 01־ URL address in E n te r o r Copy/paste an Internal

se rv e r U R L o r IP a d d re ss here:



http://www.grc.com/id/idserve.htm


ID Server©Internet Server Identification Utility, vl .02 Personal Security Freeware by Steve Gibson Copyright (c) 2003 by Gibson Research Corp.ID Serve

Background Server Query I Q&A/tjelp

Entei or copy I paste an Internet serve* URL or IP adtfress here (example www microsoft com)

[www certifiedhacker com[

W hen an Internet URL 0* IP has been piovided above, piess this button to initiate a query 01 the specfod serverQuery TheS w ve i

Server query processing(%

The server identified itse l as

EjjitGoto ID Seive web pageCopy

ID Serve can accept the URL or IP as a command-line parameter

FIGURE 22 Entering die URL for query4. Click Query The Server; it shows server query processed information

m ׳ x־,ID Serve

Exit

Internet Server Identification Utility, vl .02 Personal Security Freeware by Steve Gibson Copyright (c) 2003 by Gibson Research CofpID Serve

Background Server Query | Q&A/Help

Enter or copy / paste an Internet seivef URL or IP address here (example www m»c10s0ft com)

| www. certifiedhacker.com|<T

W hen an Internet URL 0* IP has been piovided above, press this button to initiate a queiy of the speafied serverQuery The Serverr2 [

Seiver query processing

Initiating server queryLooking up IP address for domain www certifiedhacker com The IP address for the domain is 202.75 54 101 Connecting to the server on standard HTTP port: 80 Connected] Requesting the server's default page

(3

The server identrfied itse l as

M ic ro s o f t - I IS /6 .0a

Goto ID Serve web pageCopy

Q ID Serve can also connect with non-web servers to receive and report that server's greeting message. This generally reveals the server's make, model, version, and other potentially useful information.

FIGURE 23: Server processed information

L a b A n a ly s is

Document all die IP addresses, dieir running applications, and die protocols you discovered during die lab.





IP address: 202.75.54.101

Server Connection: Standard HT1P port: 80

Response headers returned from server:ID Serve ■ HTTP/1.1 200

■ Server: Microsoft-IIS/6.0■ X-Powered-By: PHP/4.4.8■ Transfer-Encoding: chunked■ Content-Type: text/html


Q u e s t io n s

1. Examine what protocols ID Serve apprehends.

2. Check if ID Serve supports https (SSL) connections.


□ Yes 0 No

Platform Supported

0 Classroom 0 iLabs

Eth ical Hacking and Countermeasures Copyright © by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited.



F i n g e r p r i n t i n g O p e n P o r t s U s i n g t h e

A m a p T o o l.-b n a p d e te rm in e s a p p lic a tio n s ru n n in g o n e a ch o p e n p o r t.


Computers communicate with each other by knowing die IP address in use and ports check which program to use when data is received. A complete data transfer always contains the IP address plus the port number required. 111 the previous lab we found out that die server connection is using a Standard HTTP port 80. If an attacker finds diis information, he or she will be able to use die open ports for attacking die machine.

111 this lab, you will learn to use the Amap tool to perform port scanning and know exacdy what ap p lica tio n s are running on each port found open.


The objective of diis lab is to help students learn to fingerprint open ports and discover applications 11 inning on diese open ports.

hi diis lab, you will learn to:

■ Identify die application protocols running on open ports 80

■ Detect application protocols


To perform die lab you need:

■ Amap is located at D :\C EH -T o o ls\C EH v8 M odule 03 S ca n n in g

N e tw o rk s\B a n n e r G rab b in g ToolsVAM AP

■ You can also download the latest version of AM AP from the link http: / / www.thc.org dic-amap.


I CON KEY2 ^ Valuable

information

Test vourknowledge

g Web exercise

Q Workbook review

C 5 T o o ls d em o n strated in th is lab are a v a ilab le in D:\CEH- T o ols\C EH v8 M odule 03

S ca n n in g N etw o rks



http://www.thc.org


■ A computer running Web Services enabled for port 80

■ Administrative privileges to run die A m ap tool

■ Run this tool on W indow s S e rv e r 2012


Time: 5 Minutes

O v e r v ie w o f F in g e r p r in t in g

Fingerprinting is used to discover die applications running on each open port found 0x1 die network. Fingerprinting is achieved by sending trigger p a c k e ts and looking up die responses in a list of response strings.

L a b T a s k s

1. Open die command prompt and navigate to die Amap directory. 111 diis lab die Amap directory is located at D:\CEH -Tools\CEH v8 M odule 03 Scan n in g

N etw o rks\B anner G rabbing Tools\AM AP

2. Type am ap w w w .ce rtif ie d h a ck e r.co m 80, and press Enter.

Administrator: Command Prompt33

[D :\CEH~Tools \C EHu8 Module 03 S c a n n i n g N e t w o r k \ B a n n e r G r a b b i n g Tools \AM AP>anap uw [u . c e r t i f i o d h a c h e r . c o m 80Anap 0 5 . 2 <w w w . t h e . o r g / t h c - a n a p ) s t a r t e d a t 2 0 1 2 - 0 8 - 2 8 1 2 : 2 0 : 4 2 - MAPPING modo

J n i d e n t i f i e d p o r t s : 2 0 2 . ? 5 . 5 4 . 1 0 1 : 8 0 / t c p < t o t a l 1> .

M a p 0 5 . 2 f i n i s h e d a t 2 0 1 2 - 0 8 - 2 8 1 2 : 2 0 : 5 3

D:\CEH-T0 0 1 s \CEH08 Module 03 S c a n n i n g N e t w o r k \ B a n n e r G r a b b i n g Tools\AMAP>

FIGURE 3.1: Amap with host name www.ce1tifiedl1acke1.com with Port SO3. You can see die specific ap p licatio n protocols running 011 die entered host

name and die port 80.

4. Use die IP a d d re ss to check die applications running on a particular port.

5. 111 die command prompt, type die IP address of your local Windows Server 2008(virtual machine) am ap 10 .0 .0 .4 75-81 (lo ca l W indow s S e rv e r 2008)

and press E n te r (die IP address will be different in your network).

6. Try scanning different websites using different ranges of switches like amap www.certifiedhacker.com 1-200

at TASK 1

Identify A pplication

P ro to co ls Running on Port 80

Syntax: amap [-A | ־B | -P | -W] [-1 buSRHUdqv] [[-m] -o <file>][-D <file>] [־t/־T sec] [-c cons] [-C retries][-p proto] [־i <file>] [target port [port]...]

✓ For Amap options, type amap -help.



http://www.certifiedhacker.com

http://www.the.org/thc-anap

http://www.ce1tifiedl1acke1.com



ד

FIGURE 3.2: Amap with IP address and with range of switches 73-81

L a b A n a ly s is

Document all die IP addresses, open ports and dieir running applications, and die protocols you discovered during die lab.


Identified open port: 80

WebServers:■ 11ttp-apache2־■ http-iis■ webmin

Amap Unidentified ports:■ 10.0.0.4:75/tcp■ 10.0.0.4:76/tcp■ 10.0.0.4:77/tcp■ 10.0.0.4:78/tcp■ 10.0.0.4:79/tcp■ 10.0.0.4:81/tcp


D:\CEH -T ools \CE H u8 Module 03 S c a n n i n g N e tw o r k \B a n n e r G r a b b i n g Tools\AMAP>amap I f . 0 . 0 . 4 75 -8 1

laroap v 5 . 2 <w w w . t h c . o r g / t h c - a n a p ) s t a r t e d a t 2 0 1 2 - 0 8 - 2 8 1 2 : 2 7 : 5 1 - MAPPING mode

P r o t o c o l on 1 0 . 0 _ 0 . 4 : 8 0 / t c p n a t c h e s h t t p P r o t o c o l on 1 0 . 0 _ 0 . 4 : 8 0 / t c p n a t c h e s h t t p - a p a c h e - 2W a r n in g : C o u ld n o t c o n n e c t t o 1 0 . 0 . 0 . 4 : 7 6 / t c p , d i s a b l i n g p o r t <EUN KN>W a r n in g : C o u ld n o t c o n n e c t W a r n in g : C ou ld n o t c o n n e c t t o 1 0 . 0 . 0 . 4 : 7 7 / t c p , d i s a b l i n g p o r t <EUN KH>W a r n in g : C ou ld n o t c o n n e c t ( u n r e a c h a b l e ) t o 1 0 . 0 . 0 . 4 : 7 8 / t c p , d i s a b l i n g p o r t <EUN KN>W a r n in g : C o u ld n o t c o n n e c t t o 1 0 . 0 . 0 . 4 : 7 9 / t c p , d i s a b l i n g p o r t <EUN |KN>W a r n in g : C o u ld n o t c o n n e c t t o 1 0 . 0 . 0 . 4 : 8 1 / t c p , d i s a b l i n g p o r t <EUN KN>P r o t o c o l on 1 0 . 0 _ 0 . 4 : 8 0 / t c p n a t c h e s h t t p - i i s P r o t o c o l on 1 0 . 0 _ 0 . 4 : 8 0 / t c p n a t c h e s webmin

U n i d e n t i f i e d p o r t s : 1 0 . 0 . 0 . 4 : 7 5 / t c p 1 0 . 0 . 0 . 4 : 7 6 / t c p 1 0 . 0 . 0 . 4 : 7 7 / t c p 1 0 . 0 . 0 . 4 : 7 8 / k c p 1 0 . 0 . 0 . 4 : 7 9 / t c p 1 0 . 0 . 0 . 4 : 8 1 / t c p < t o t a l 6 > .

Linap v 5 . 2 f i n i s h e d a t 2 0 1 2 - 0 8 - 2 8 1 2 : 2 7 : 5 4

b : \C E H -T o o ls \C E H v 8 Module 03 S c a n n i n g N e tw orkN Banner G r a b b i n g Tools\AMAP>

Compiles on all UNIX based platforms - even MacOS X, Cygwin on Windows, ARM-Linux and PalmOS


http://www.thc.org/thc-anap



Q u e s t io n s

1. Execute the Amap command for a host name with a port number other than 80.

2. Analyze how die Amap utility gets die applications running on different machines.

3. Use various Amap options and analyze die results.


□ Noes0 Y

Platform Supported

□ iLabs0 Classroom




M o n i to r in g T C P /I P C o n n e c t i o n s

U s i n g t h e C u r r P o r t s T o o lC u n P o r ts is n e tw o rk m o n ito rin g s o fh ia re th a t d is p la y s th e lis t o f a ll c u r re n tly

o p e n e d T C P / IP a n d U D P p o r ts o n y o u r lo c a l c o m p u te r.


111 the previous lab you learned how to check for open ports using the Amap tool. As an e th ic a l h a c k e r and p e n e tra tio n te s te r , you must be able to block such attacks by using appropriate firewalls or disable unnecessary services running 011 the computer.

You already know that the Internet uses a software protocol named T C P / IP to format and transfer data. A11 attacker can monitor ongoing TCP connections and can have all the information in the IP and TCP headers and to the packet payloads with which he or she can hijack the connection. As the attacker has all die information 011 the network, he or she can create false packets in the TCP connection.

As a n e tw o rk ad m in istrato r., your daily task is to check the T C P /IP

c o n n e c t io n s of each server you manage. You have to m o n ito r all TCP and UDP ports and list all the e s ta b lis h e d IP a d d r e s s e s of the server using the C u rrP o rts tool.


The objective of diis lab is to help students determine and list all the TCP/IP and UDP ports of a local computer.

111 in this lab, you need to:

■ Scan the system for currently opened T C P /IP and U D P ports

■ Gather information 011 die p o rts and p r o c e s s e s that are opened

■ List all the IP a d d r e s s e s that are currendy established connections

■ Close unwanted TCP connections and kill the process that opened the ports

ICON KEYValuableinformation

Test yourknowledge

w Web exercise

m Workbook review

C J T o o ls d em o n strated in th is lab are a v a ilab le in D:\CEH- T o ols\C EH v8

M odule 03 S ca n n in g N etw o rks





To perform the lab, you need:

■ CurrPorts located at D :\C EH -T o o ls\C EH v 8 M odule 03 S ca n n in g N e tw o rk s\S ca n n in g T o o ls\C u rrP o rts

■ You can also download the latest version of C u rrP o rts from the link http: / / www.nirsoft.11et/utils/cports.html


■ A computer running W in d o w s S e r v e r 2 0 1 2

■ Double-click c p o r ts .e x e to run this tool

■ Administrator privileges to run die C u rrP o rts tool


Time: 10 Minutes

a You can download CuuPorts tool from http://www.nirsoft.net.

O v e r v ie w M o n ito r in g T C P / IP

Monitoring TCP/IP ports checks if there are m ultiple IP connections established Scanning TCP/IP ports gets information on all die opened T C P and U D P ports and also displays all established IP addresses on die server.

L a b T a s k s

The CurrPorts utility is a standalone executable and doesn’t require any installation process or additional DLLs (Dynamic Link Library). Extract CurrPorts to die desired location and double click c p o rts .e x e to launch.

1. Launch C u rrp o rts . It a u to m a tic a lly d is p la y s the process name, ports, IP and remote addresses, and their states.

TASK 1

rCurrPorts־1״1 * י

File Edit View Option* Help

xSD®v^ ! t ae r4*a-*Process Na.. Proces... Protocol Local... L oc - Local Address Rem... Rem... R ercte Address Remote Host Nam

(T enrome.ere 2 m TCP 4119 10.0.0.7 80 h ttp 173.194.36.26 bcm04501 -in־f26.1

f <+1rome.ere 2988 TCP 4120 10.0.0.7 80 http 173.194.3626 bcmOisOl -in-f26.1

chrome.ere 2988 TCP 4121 10.0.0.7 80 http 173.194.3626 bom04501־in f26.1־f chrome.exe 2 m TCP 4123 10.0.0.7 80 http 215720420 a23-57-204-20.dep

CT chrome.exe 2 m TCP 414S 10.0.0.7 443 https 173.194 3626 bom04501 -in-f26.1

^ f i r t f c x ere 1368 TCP 3981 127.0.0.1 3982 12700.1 WIN-D59MR5HL9F

£ fir« fc x « x • 1368 TCP 3982 127.0.0.1 3981 12700.1 WIN-D39MR5HL9E(£ fir« fc x «(« 1368 TCP 4013 10.0.0.7 443 https 173.1943622 bom01t01-in-f22.1

fircfcx.cxc 1368 TCP 4163 100.0.7 443 h ttp j 173.194.36.15 bom04!01 in f15.1־f 1rcfcxc.cc 1368 TCP 4166 100.0.7 443 h ttp j 173.194.360 bcm04501 -in-f0.1«

firef cx c<c 1368 TCP 4168 100.0.7 443 h ttp ; 74.125234.15 gra03s05in-f15.1e

\s , httpd.exe 1000 TCP 1070 a a a o 0.0.0.0

\th ttpd .exe 1800 TCP 1070 =

Qlsass.occ 564 TCP 1028 0.0.0.0 0.0.0.0

3 l» 5 5 a e 564 TCP 1028 =____ »_____

<1 ■11 T >

NirSoft Freeware. ht1p;/AnrA«v.rirsoft.net79 ~ctal Ports. 21 Remote Connections. 1 Selected

D isco v e r TCP/IP C o nn ectio n

C E H Lab M anual Page 104 Eth ica l Hacking and Countermeasures Copyright © by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited

http://www.nirsoft.net


FIGURE 4.1: Tlie CurrPorts main window with all processes, ports, and IP addresses2. CiirrPorts lists all die p r o c e s s e s and their IDs, protocols used, lo c a l

and rem o te IP a d d re s s , local and remote ports, and rem o te h o st

n a m e s.

3. To view all die reports as an HTML page, click V ie w H <־ TM L R e p o rts

A ־ ll Ite m s.

M °- x יCurrPorts

Remote Host Nam *

bcmQ4s0l-in־f26.1bcm04s0l-in-f26.1bcm04s01 -in-f26.1a23-57-204-20.dep S

bom04501-in־f26.1WIN-D39MR5HL9E

WIN-D39MR5HL9E

bem04s01-in-f22.1

bom04i01־in*f15.1

bcm04s0l*in-f0.1<gruC3s05-1n־M5.1e

Remote Address

173.1943526

173.194.3526

173.194.3526

23.5720420

173.194.3526

127.0.0.1

127.0.0.1

173.1943622

173.19436.15

173.19436.0

741252*4.15

0.0.0.0

0.0.0.0

Rem..

http

http

http

http

https

https

https

https

https

443

3962

3981

443

443

443

443

Address

).7

).7

).7

).7

).7

.0.1

.0.1

Show Grid Lines

Show Tooltips

Mark Odd/Even Rows

HTML Report ־ All I'errs

F5---TV.V,0.7

10.0.0.7

10.0.0.7

100.0.7

o.ao.oa a a o

File Edit I View | Options Help

X B 1Process KJa 1 I chrome.

C* chromel ^ chrome.C* chrome.^ chromc.(£ f irc fc x .c

g f - e f c x e R״fr#{h

(p firc fo x .e 1(c קז7ס 1 l i

(B fa e fc x u e 1368 TCP

J f t fM c o ta e I368 TCP® fr e fc x e te 1368 TCP

\h t to d .e x e 1800 TCP

V httpd .exe 1800 TCP

Q ls a s s e te 564 TCP561 TCP

HTML Report - Selected terns

Choose Columns

Auto Size Columns

4163

41564158

1070

1070

10281028

NirSoft Freeware, http.//w w w .rirso ft.ne t79Tct«l Ports, 21 Remote Connection!, 1 Selected

FIGURE 4.2 The CurrPorts with HTML Report - All Items4. The HTML Report a u to m a tic a lly opens using die default browser.

E<e Ldr View History Bookmarks 1001צ Hdp

I TCP/UDP Ports List j j f j__

^ (J f t e /// C;/ User 1/Ad mini st ralo r/D esfct op/ c p0fts-xt>£,r epcriJit ml ' Google P - •£־־־*־ ^

T C P /U D P P o r ts L is t

Created bv using C u rrP o rts

י

=

P m « j .Nam•P r o t i t i

IDProtoco l

I .o ra l P ort

I A ra l P ort X l B t

Loca l A d d iv itRemote

P ort

RcmoU׳P ort

.NameR tm v l« A d d r t i t

chxame rxc 2988 TCP 4052 10 0 0 7 443 https 173 194 36 4 bo

chiome.exc 2988 TCP 4059 10.0.0.7 80 http 173.194.36.17 bo

ch101nc.exe 2988 TCP 4070 10.0.0.7 80 http 173.194.36.31 bo

daome.exe 2988 TCP 4071 10.0.0.7 80 hltp 173.194.36.31 bo!

daome.exe 2988 TCP 4073 100.0.7 80 hup 173.194.36.15 boi

daome.exe 2988 TCP 4083 10.0.0.7 80 http 173.194.36.31 bo!

cfcrorae.exe 2988 TCP 4090 100.0.7 80 hnp 173.194.36.4 bo!

chfomc.cxc 2988 TCP 4103 100.0.7 80 hup 173.194.36.25 bo

bo>

chrome exe 2988 TCP 4104 10 0 0 7 80 hnp 173 194 36 25

FIGURE 4.3: Hie Web browser displaying CurrPorts Report - All Items5. To save the generated CurrPorts report from die web browser, click

F ile S <־ a v e P a g e A s ...C tr l+ S .

/ / CurrPorts utility is a standalone executable, which doesn't require any installation process or additional DLLs.

Q In the bottom left of the CurrPorts window, the status of total ports and remote connections displays.

E3 To check the countries of the remote IP addresses, you have to download the latest IP to Country file. You have to put the IpToCountry.csv״ file in the same folder as cports.exe.



http://www.rirsoft.net


■3 TCP/UDP Ports List - Mozilla Firefoxד5

ק ז ו id * «1ry> Hitory Bookmaikt Took Hrlp

P *C i f ' Google»f1׳Dcsttop/q)D1ts-x64/rEpor: html

fJcw l ib CW*T

N*w׳ ’Mnd<*1* Ctrt*N

Cpen Fie.. CcrUO

S*.« Page As.. Ctr1*SSend Link- Pag* Setup-. PrmtPi&Kw E r r t .

ti* !.o ra lP ort

I o ra l P ort Name

Loca l A d d rv uRemote

P o r i

KemotcP ort

NameK eu io l* A d d n i t! , r o t i f j j >111•

ID

otocol!'!־

chiomc.exe 2988 TCP 4052 10.0.0.7 443 https 173.194.36.4 boj

cfc10me.exe 2988 TCP 4059 10.0.0.7 80 http 173.194.36.17 bo:

chrome.exe 2988 TCP 4070 10.0.0.7 80 hnp 173.194.36.31 bo:

chrome.exe 2988 TCP 4071 10.0.0.7 80 http 173.194.36.31 boi

chrome exe 2988 TCP 4073 100 0 7 80 http 173 194 36 15 boi

chrome exe 2988 TCP 408 ; 100 0 7 80 http 173 194 36 31 bo!

ch*omc exe 2988 TCP 4090 100 0 7 80 http 173 194 36 4 boi

chiome.exe 2988 TCP 4103 10.0.0.7 80 http 173.194.36.25 boj

daome.exe 2988 TCP 4104 10.0.0.7 80 http 173.194.36.25 b03

FIGURE 4.4: The Web browser to Save CurrPorts Report - All Items6. To view only die selected report as HTML page, select reports and click

V ie w H <־ TM L R e p o rts S ־ e le c te d Ite m s.

x-CurrPorts ׳1-1°

Address Rem... Rem... Remote Address Remote Host Nam

).7 80 h ttp 175.19436.26 bom04s01-1n־f26.1

).7 80 http 173.1943626 bom04s01-1n-f26.1

F80 http 173.1943626 bcm04s01-in־f26.1f

■0.7 80 h ttp 215720420 323-57-204-20.dep

P 7 445 h ttp : 173.1943526 bcm04s01-in-f26.1

.0.1 3982 127.0.0.1 WIN-D39MR5HL9E

.0.1 3981 127JX011 WIN-D39MR5HL9E

J>.7 443 https 173.1943622 bom04s01 -in-f22.1

File Edit | View | Options Help

X S (3 Show Grid Lחו א

Process Na P I Show Tooltips

C chrome. Mark Odd/Even Rows

HTML Report - All Items

HTML Report ■ Selected ternsC c h ro m e f O' chrome “

Ctrl ♦■Plus

F5

Choose Columns ® ,f ire fc x e Auto Size Columns

(gfircfcxe: Refreshfircf cx e<v

L f ircfox.cxc 1368 TCP 4163 1000.7 443 h ttp ; 173.194.36.15 bomOlsOl -in־f15.1

fircfcx.cxc 1368 TCP 4166 1000.7 443 h ttp : 173.194360 bomOlsOI -in־f0.1c

^ firc fc x .c x c 1368 TCP -4168 100.0.7 443 https 74125234.15 gruC3s05 in -f 15.1c

httpd.exe 1000 TCP 1070 0.0.0.0 0.0.0.0httpd.exe 1000 TCP 1070 s

Q lsassexe 564 TCP 1028 00.0.0 0.0.0.0

Q b a s te x e 564 TCP 1028« -------a .-------- 14nn T rn י»׳*־ו־ ___ AAAA AAAA

Hi 1 Soft Freeware. http. ׳,׳ ,w w w .r irsoft.net79 ~ctel Ports. 21 Remote Connections, 3 Selected

FIGURE 4.5: CurrPorts with HTML Report - Selected Items

7. Tlie selected rep o rt automatically opens using the d e fa u lt b ro w ser.

m CurrPorts allows you to save all changes (added and removed connections) into a log file. In order to start writing to the log file, check the ,Log Changes' option under the File menu

2Zy" By default, the log file is saved as cports.log in the same folder where cports.exe is located. You can change the default log filename by setting the LogFilename entry in the cports.cfg file.

^ Be aware! The log file is updated only when you refresh the ports list manually, or when the Auto Refresh option is turned on.

a You can also right- click on the Web page and save the report.

Eth ica l Hacking and Countermeasures Copyright O by EC-CoundlA ll Rights Reserved. Reproduction is Strictly Prohibited


http://www.r


TCP/UDP Ports List - Mozilla Firefox I 1 ־ n J~xffi'g |d : Vico Hatory Bookmaiks Toob Help

[ j TCP/UDP Ports List | +

^ W c/'/C/lherv׳Admin 1strotor/Dr5fctop/'cport5־r64/rcpoדיi«0T1l (? ־ Google P | ,f t I

T C P /V D P P o rts L is t

Created by m ing C ii r rP o m

ProcessName

ProcessID

Protocol LocalPort

I>ocalPort.Name

LocalAddress

K«mut«Port

RemotePortName

KvuiotcAddress Remote Host Name State

dbiome.cxc 2988 TCP 4148 10.0.0.7 443 https 173.194.36-26 bom04sC 1 m. £26.1 e 100.net Established c:fire fox exe 1368 TCP 4163 10 0 0 7 443 https 173 194 36 15 bom04s01 tn - fl 5. Ie l00 .ne t Established C:

httpd cxc 1800 TCP 1070 Listening C:

In the filters dialog bos, you can add one or more filter strings (separated by spaces, semicolon, or CRLF).

FIGURE 4.6: The Web browser displaying CuaPorts with HTML Report - Selected Items8. To save the generated CurrPorts report from the web browser, click

F ile S <־ a v e P a g e A s .. .C tr l+ S

Mozilla Firefox ־ UDP Ports List׳/TCPי *r=>r ׳

fi *1r/Desktop/cpo»ts x6C repwthtml

Edfe Vir* Hutory Boolvfmki Took HWp N**׳T*b Clfl*T | + |

an*NOpen Fie... Ctrl»0

Ctrl-SPag eA ;.S*.«Sir'd link-

Established C

Established C

Remote Ilo t l .N io it

boxu04s01 -ui-1‘26. Ie l00.net

bom04s01-1a-115.lel00.net

RemoteAddress

173.1943626

173.19436 15

Kcm olePort

Name

https

https

T oral Remote Address Port

1 0 0 0 .7 443

443100.0.7

LocalPort

Name

LocalPoriID

Page :er.p. Pnnt Preview Prm L. fic it Offline

Name

4148TCP2988chtoxne.exe

41631368 TCPfiiefox-cxc

10TCP1800httpdexe ׳0

FIGURE 4.7: The Web brcnvser to Saw QirrPorts with HTML Report - Selected Items9. To view the p ro p e rt ie s of a port, select die port and click F ile <־

P ro p e rtie s .

/ / The Syntax for Filter String: [include | exclude]: [local | remote | both | process]: [tcp | udp | tcpudp] : [IP Range | Ports Range].

ש Command-line option: /stext <F11ename> means save the list of all opened TCP/UDP ports into a regular text file.




r ® CurrPorts I - ] “ ' * m1 File J Edit View Options Help

I PNctlnfo C trM

Close Selected TCP Connections Ctri+T Local Address Rem... Rem.. Remote Address Remote Host Nam י׳ 1Kill Processes Of Selected Ports 10.0.0.7 80 http 173.194.3626 bom04301 - in-f26.1

Save Selected Items CtiUS 10.0.0.7 80 http 1׳־3.194.3626 bom04501 ־ in-f26.1

Properties AltÊntei 110.0.0.7 80 http 1^3.194.36.26 bom04s01-in-f26.1

10J3J3.7 80 http 23.57.204.20 a23*57204-20־.dep ■Process Properties CtiUP

10.00.7 443 https 1Ti 194.36.26 bom04s01-in-f2MLog Changes 127.0.0.1 3982 127.aa1 WIN-D39MR5Hl9f

Open Log File 127.0.0.1 3031 127.0L0L1 WIM-D30MRSH10F

Clear Log File 10.0.0.7 443 httpc 1 1 ־,194.3622 bom04e01-m־f22.1

Advanced Options CtrUO 10.0.0.7 443 https 173.194.3615 bom04s01-m-f15.1

10.0.0.7 443 https 173.194.360 bom04s01 m־f0.1cExit 10.0.0.7 443 https 74.12523415 gru03s05-in־f15.1 e

\ j 1ttjd .exe 1800 TCP 1070 oaao 0 D S ) S )\h t to d .e x e 1800 TCP 1070 ::□ lsass.exe 564 TCP 1028 aao.o 0 D S J J JQlsass-exe $64 TCP 1028 r .

״ ־ T >

|7 9 Tctel Ports, 21 Remote Connections, 1 Selected NirSoft Freeware, h ttp :'www .n irsoft.net

b&i Command-line option: /stab <Filename> means save the list of all opened TCP/UDP ports into a tab-delimited text file.

FIGURE 4.8: CunPoits to view properties for a selected port10. The P ro p e rt ie s window appears and displays all the properties for the

selected port.

11. Click O K to close die P ro p e rt ie s window

*Properties

firefox.exe1368

TCP4166

10.0.0.7443| https________________1173.194.36.0 bom04s01-in-f0.1 e100.net EstablishedC:\Program Files (x86)\M0zilla Firefox\firefox.exe FirefoxFirefox14.0.1Mozilla Corporation8/25/2012 2:36:28 PMWIN-D39MR5HL9E4\Administrator

8/25/2012 3:32:58 PM

Process Name: Process ID:Protocol:Local Port:Local Port Name: Local Address: Remote Port:Remote Port Name: Remote Address: Remote Host Name: State:Process Path: Product Name:File Description:File Version: Company:Process Created On: User Name:Process Services: Process Attributes: Added On:Module Filename: Remote IP Country: Window Title:

OK

Command-line option: /shtml <Filename> means save the list of all opened TCP/UDP ports into an HTML file (Horizontal).

FIGURE 4.9: The CurrPorts Properties window for the selected port



http://www.nirsoft.net


12. To close a TCP connection you think is suspicious, select the process and click F ile C <־ lo s e S e le c te d T C P C o n n e c t io n s (or Ctrl+ T).

-_,»r CurrPortsד

IPNetlnfo Ctrt+1

Close Selected TCP Connections Ctrl-T Local Address Rem... Rem... Remote Address Remote Host Nam I ׳ יKill Processes Of Selected Ports 10.0.0.7 60 http 173.19436.26 bom04s01-in־f26.1

Save Selected Items CtH-S 10.0.0.7 80 http 173.19436.26 bom04s01-in־f26.1

Properties

Process Properties

AH- Enter

Ctrl—P

10.0.0.7

10.0.0.7

10.0.0.7

80

80

443

http

http

https

173.19436.26 23.5730430

173.19436.26

bom04sC1 in-f26.1

023-57 204 2C.dep

bom04s01 in f26.1־

=

Log Changes 127.00.1 3932 127.0.0.1 WIN-D39MR5HL9e

Cpen Log File 127.00.1 3931 127.0.0.1 WIN-D39MR5HL9£

Clear Log File 10.0.0.7 443 http: 173.19436.22 bom04s01 -in-f22.1

Ad/snced Options CtH+G10.0.0.7 443 https 173.19436.15 bom04s01-in-f15.1

443 https 173.19436.0 bom04s01 ■in-f0.1sExit 10.0.0.7 443 https 74.125.234.15 gru03s05-in-f151e

^ httpd.exe 1 £03 TCP 1070 0D.0.0 0.0.0.0

httpd.exe 1800 TCP 1070 r□ is a s s ^ x e 564 TCP 1028 o m o o.aao

QtoSfcCNe 564 TCP 1Q28 r

^ J III ־ r I >

JIlirSort freew are. r-tto v/Yv*/n rsott.net7? Tot«! Porte, 21 Remote Connection! 1 Selected׳:

FIGURE 4.10: ,Hie CunPoits Close Selected TCP Connections option window13. To k ill the p r o c e s s e s of a port, select die port and click F i le K <־ ill

P r o c e s s e s of S e le c te d P o rts.

I ~ Iם ' *CurrPorts

File j Edit View Options Help

Loral Address Rem... Rem.. Remote Addrect Remote Host Nam *

10.0.07 80 http 173.14436.26 bom04t01*in-f26.1

10.0.0.7 80 http 173.194.3626 bomC4t01-in־f26.1

10.0.0.7 80 http 173.194.3626 bomC4j01 -in-f26.1

10.0.0.7 80 http 215720420 a23-57-204-20.dep s

10.0.0.7 443 https 173.1943636 bcmC4s01-in-f26.1127.0.0.1 3962 127.0.0.1 WIN-D39MR5HL9E

127.0.0.1 3981 127.0.0.1 WIN-D39MR5HL9E

10.0.0.7 443 https 173.1943632 bomC4s01-in-f22.1

10.0.07 443 https 173.19436.15 bom04s01־in־f15.1

10.0.0.7 443 https 173.19436.0 bom04$0l־in־f0.1e10.0.0.7 443 https 74125334.15 gru03s05-1n-M5.1e

an♦!C*rt*־T

PNetlnfoClose Selected TCP Connection*

kin Processes Of Selected Ports

Clri-S

A t-En ter

CtrKP

5ave Selected Items

Properties

Process Properties

Log Changes

Open Log File

Clear Log file

Advanced Options

Exit

0.0.0.0O.Q.Q.Oo.aao

___ / )A A A

V httod.exe 1800 TCP 1070

V httpd .exe 1800 TCP 1070

□ lw s s .e re 564 TCP 1028□ ka tc *re 561 TCP 1028

ר II

MirSoft Freeware. http-Jta/ww.rirsoft.net79 Tctel Ports, 21 Remote Connections, 1 Selected

FIGURE 4.11: The CurrPorts Kill Processes of Selected Ports Option Window14. To e x it from the CurrPorts utility, click F ile E <־ x it . The CurrPorts

window c lo s e s .

S T A S K 2

C lo se T C P Co nn ectio n

f i TASK 3K ill P ro c e s s




1-1°CurrPons׳ - ’

File Edit View Options Help

PNetlnfo GH+I

Close Selected TCP Connections CtrKT .. Local Address Rem.. Rem״ Remcte Address Remcte Host NamK il Processes Of Selected Ports 10.0.0.7 80 http 173.194.36.26 bom04s01-in-f26.1

Save Selected Items Ctifc-S 10D.0.7 80 http 173.194.3626 bom04s01-in-f26.1

Properties

Procccc Properties

A t-Ea ter

CtH«־P

10.0.0.710.0.0.7

10.0.0.7

8080

443

httphttp

httpt

173.1943626 21 57.204.20

173.194.3626

bom04s01-in־f26.1r a23-57-204-20.de J bom04t01-in-f26.1|

lo g Changes 127.0.0.1 3082 127.0.0.1 WIN-D3QMR5H19P

Open Log File 127.0.0.1 3981 127X10.1 WIN-039MR5HL9E

Clear Log File 10.0.0.7 443 https 173.19436.22 bomC4101-in-f22.1

Advanced Option! C tH -010.0.0.7 443 https 173.194.36.1S bemC4i01 in f15.1־

10.0.0.7 443 https 173.194.36i) bcmC4s01 in f0.1qExt 1 10.0.0.7 443 https 74.125.234.15 gru03s05in-f15.1e

\th ttp d .e x e 1800 TCP 1070 0.0.0.0 0.0.0.0

\th ttp d .e x e 1800 TCP 1070 = =

Q lsas&exe 564 TCP 1028 0.0.00 0.0.0.0

H ls a is - a c 564 TCP 1028 =־ ־ ■ r r n __ a ו/ / \ a A A A A

Nil Soft free were. Mtpy/vvwvv.r it soft.net79 ז ctal Ports. 21 Remote Connections. 1 Selected

hid Command-line option: /sveihtml <Filename>Save the list of all opened TCP/UDP ports into HTML file (Vertical).

FIGURE 4.12: The CurrPoits Exit option window

L a b A n a ly s is

Document all die IP addresses, open ports and their running applications, and protocols discovered during die lab.


Profile Details: Network scan for open ports

Scanned Report:■ Process Name■ Process ID■ Protocol

CurrPorts ■ Local Port■ Local Address■ Remote Port■ Remote Port Name■ Remote Address■ Remote Host Name

feUI In command line, the syntax of /close command :/close < Local Address> <Local Port>< Remote Address >< Remote Port נ *.





Q u e s t io n s

Analyze the results from CurrPorts by creating a filter string that displays only packets with remote TCP poit 80 and UDP port 53 and running it.

Analyze and evaluate die output results by creating a filter that displays only die opened ports in die Firefox browser.

Determine the use of each of die following options diat are available under die options menu of CurrPorts:

a. Display Established

b. Mark Ports Of Unidentified Applications

c. Display Items Widiout Remote Address

d. Display Items With Unknown State


□ Yes 0 No

Platform Supported

0 Classroom 0 !Labs

1.

כ .

Q CurrPorts allows you to easily translate all menus, dialog boxes, and strings to other languages.




Lab

S c a n n i n g f o r N e t w o r k

V u l n e r a b i l i t i e s U s i n g t h e G F I

L a n G u a r d 2 0 1 2G F I L A N g w r d s c a n s n e tw o rk s a n d p o r ts to d e te c t, a sse ss, a n d c o rre c t a n y s e c u rity

v u ln e ra b ilitie s th a t a re fo u n d .


You have learned in die previous lab to monitor T C P IP and U DP ports 011 your local computer or network using CurrPorts. This tool will automatically mark widi a pink color suspicious TCP/UDP ports owned by unidentified applications. To prevent attacks pertaining to TCP/IP; you can select one or more items, and dien close die selected connections.

Your company’s w e b se rv e r is hosted by a large ISP and is well protected behind a firewall. Your company needs to audit the defenses used by die ISP. After starting a scan, a serious vulnerability was identified but not immediately corrected by the ISP. All evil attacker uses diis vulnerability and places a b ackd o o r on th e se rver. Using die backdoor, the attacker gets complete access to die server and is able to manipulate the information 011 the server. The attacker also uses the server to leapfrog and attack odier servers 011 the ISP network from diis compromised one.

As a se c u rity ad m in istrato r and penetration te s te r for your company, you need to conduct penetration testing in order to determine die list of th re a ts and v u ln erab ilitie s to the network infrastructure you manage. 111 diis lab, you will be using G FI Lan G u ard 2012 to scan your network to look for vulnerabilities.


The objective of diis lab is to help students conduct vulnerability scanning, patch management, and network auditing.

111 diis lab, you need to:

■ Perform a vulnerability scan

ICON KEYValuableinformation

✓ Test yourknowledge

Web exercise

Q Workbook review

Z U T o o ls d em o n strated in th is lab are a v a ilab le in D:\CEH- T o ols\C EH v8

M odule 03 S ca n n in g N etw o rks

Eth ica l Hacking and Countermeasures Copyright © by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited



■ Audit the network

■ Detect vulnerable ports

■ Identify security vulnerabilities

■ Correct security vulnerabilities with remedial action


To perform die lab, you need:

■ GFI Languard located at D:\CEH -Tools\CEH v8 M odule 03 S ca n n in g

N etw o rksW u ln erab ility S ca n n in g Tools\G FI Lan G u ard

■ You can also download the latest version of G F I L a n g u a rd from the link http://www.gfi.com/la1111etsca11


■ A computer running W indow s 2 012 S e rv e r as die host machine

■ W indow s S e rv e r 2008 running in virtual machine

■ Microsoft ■NET Fram ew o rk 2 .0

■ Administrator privileges to run die G FI LAN guard N etw ork S e cu r ity S ca n n e r

■ It requires die user to register on the G FI w e b s ite

http: / /www.gfi.com/la1111etscan to get a lic e n se key

■ Complete die subscription and get an activation code; the user will receive an em ail diat contains an activatio n co d e


Time: 10 Minutes

O v e r v ie w o f S c a n n in g N e t w o r k

As an administrator, you often have to deal separately widi problems related to vu ln erab ility issues, patch m anagem en t, and network auditing. It is your responsibility to address all die viilnerability management needs and act as a virtual consultant to give a complete picture of a network setup, provide r isk a n a ly s is , and maintain a secure and co m p lian t n etw o rk state faster and more effectively.

Security scans or audits enable you to identify and assess possible r is k s within a network. Auditing operations imply any type of ch e ck in g performed during a network security audit. These include open port checks, missing Microsoft p a tch e s

and vu ln erab ilitie s, service infomiation, and user or p ro c e ss information.

Q You can download GFI LANguard from http: //wwwgfi. com.

Q GFI LANguard compatibly works on Microsoft Windows Server 2008 Standard/Enterprise, Windows Server 2003 Standard/ Enterprise, Windows 7 Ultimate, Microsoft Small Business Server 2008 Standard, Small Business Server 2003 (SP1), and Small Business Server 2000 (SP2).

C-J GFI LANguard includes default configuration settings that allow you to run immediate scans soon after the installation is complete.



http://www.gfi.com/la1111etsca11

http://www.gfi.com/la1111etscan


L a b T a s k s

Follow die wizard-driven installation steps to install die GFI LANguard network scanner on die host machine windows 2012 server.

1. Navigate to W in d o w s S e rv e r 2 0 1 2 and launch the S ta r t menu by hovering the mouse cursor in the lower-left corner of the desktop

FIGURE 5.1: Windows Server 2012 - Desktop view2. Click the G F I L a n G u a rd 2 0 1 2 app to open the G F I L a n G u a rd 2 0 1 2

window

MaragerWindows Google

b m r ♦ *

Nnd

V

e FT־ £ S I

2)12

0

FIGURE 5.2 Windows Server 2012 - Apps3. The GFI LanGuard 2012 m ain w in d o w appears and displays die N etw ork

Audit tab contents.

B TASK 1S ca n n in g for

V u ln erab ilitie s

Zenmap file installs the following files:■ Nmap Core Files■ Nmap Path■ WinPcap 4.1.1■ Network Interface

Import■ Zenmap (GUI frontend)■ Neat (Modern Netcat)■ Ndiff

/ / To execute a scan successfully, GFI LANguard must remotely log on to target computers with administrator privileges.




W D13CIA3 this ■י

GFI LanGuard 2012

I - | dashboard Seen Remedy ActMty Monitor Reports Configuration UtSties

Welcome to GFI LanGuard 2012GFI LanGuard 2012 is ready to audit your network fc* rtireta&dites

V iew DashboardInve30gate netvuor* wjinerawiir, status and audi results

Remodiate S ecurity IssuesDeploy missing patches uninstaiwwuihortwd *!*rare. turn on onllvirus and more

M anage AgentsEnable agents to automate netooric secant? audit and to tfstribute scanning load across client machines

JP9%

Local Computer Vulnerability Levelus• ־Nana9#*gents־or Launch a scan־ options 10,

the entile network.

M<

{ ' M o wc a f h 'e . — iim jIW -.

Cunent Vulnerability Level is: High

-IL aunch a ScanManually set-up andtnuser an aoerSess neVrxt seajrit/ audrt.

LATES1 NLWS

txkul a fyn le d ID I -XI }un jp \fe»g l ־ Ttft ■mu lar ־1 !1 w mr־»

DCport for APS81? IS. Mohr. Arrvhm !) 5 2 Pro nnd Standivd tr.vi •n- kuxkI 101 APS812-1S. Mobm Auob* 10.1.4 Pro mtd St—a-0 - -Mj ut

V# ?4-A*j-7017 - Patch MmuxirTimri - N n pi 1 ( 74 Aq 701? Patch Mfwtgnnnnl Added V*, 24-AJO-2012 - Patch M4uu«m< - Aiktod

ea The default scanning options which provide quick access to scanning modes are:■ Quick scan■ Full scan■ Launch a custom scan■ Set up a schedule scan

FIGURE 5.3: The GFI LANguard mam window4. Click die L a u n ch a S c a n option to perform a network scan.

GFI LanGuard 2012

«t Di»e1«s thb versionDoshboerd Scan Remediate AdMty Monitor Reports Configuration Ut*oes> I «־ I

View DashboardInvestigate network! wjineraMit, status andauairesults

R em ediate S ecurity IssuesDeploy missing patches unirwta■ urau*>0rf2e430**are. turn on antivirus ana more.

M anage AgentsEnable agents to automate neteror* secant* aud* and to tfstnbute scanning load across client machines

JP

9%

Welcome to GFI LanGuard 2012GFI LanGuard 2012 1& ready to audit your network k* *AmafrMws

Local Computer Vulnerublllty Level use ־van a;# Agents ־or Launch a scan־ options 10 auoa

the entire network.

t - &־.יז ־־־-^ iim jIM :

Cunent Vulnerability Luvul is; High

L aunch a ScanManually *<rt-up andtnwer anagerttest network»taint/ autirl

LAI LSI NLWS

< j ?4-Ajq-TOI? - fa it h M<au»)«nenl - N r . pnxkjrf !^ported POF-XLhan^r Mena 2 ל TOb meu la - IW31

V* 24Ajq-2012 Patch MnnnQcjncnr Added support for APS812-16. Adobe Acrobat 9 5 2 Pro and Standard -»־»־-24-Aju-2012 - Patch Md11rfut!«1t*t - Added support tor APS812-16. Adobe Acrobat 10.1.4 Pro and Standcffd - F=ad ־»■

FIGURE 5.4: The GFI LANguard main window indicating the Launch a Custom Scan option5. L a u n ch a N ew sc a n window will appear

i. 111 die Scan Target option, select lo ca lh o st from die drop-down list

ii. 111 die Profile option, select Full S c a n from die drop-down list

iii. 111 die Credentials option, select cu rren tly logged on u se r from diedrop-down list

6. Click S ca n .

m Custom scans are recommended:■ When performing a

onetime scan with particular scanning parameters/profiles

■ When performing a scan for particular network threats and/or system information

■ To perform a target computer scan using a specific scan profile

^ If intrusion detection software (IDS) is running during scans, GFI LANguard sets off a multitude of IDS warnings and intrusion alerts in these applications.




־°r x ־ GF! LanGuard 2012’ן

CJ, Uiscuu ttm 1Dashboard Scan Ranrdijle Activ.ty Monitor Reports Conf!guraUon Jt Urn•> l«- Itauad iatneSan

Scar־a02׳t: P10•*:b a te : v M jf-J S^n v *Ot0en:־fc- ?axrrard:k»/T«rt(r ockcC on uso־ V I IZ * 1 1 ״

Scar Qaccre...

Son ■ n d ti Ovrrvlew SOM R ru lti Dcta ll<

FIGURE 5.5: Selecting an option for network scanning7. Scanning will start; it will take some time to scan die network. See die

following figure

m For large network environments, a Microsoft SQL Server/MSDE database backend is recommended instead of the Microsoft Access database.

m Quick scans have relatively short scan duration times compared to full scans, mainly because quick scans perform vulnerability checks of only a subset of the entire database. It is recommended to run a quick scan at least once a week.

8. After completing die scan, die sc a n resu lt will show in die left panel




x□ GFI Lar>Guard2012,־I־y I I Dashboaid Scan Remcdute Actwty Monitor Reports Configuration Lttrfrtm&

t a u K k a lm k i n

Scan Target Kate:ccaftoct V ... | FalSar H

jsandffc: Eaaswofd:Cj-rr& t bcaed on iser V IIScan R r a k i DetailsScan R ru ik i ovrrvmn

Scan com ple ted !Summary 8f *ear resufs 9eneraf0fl <Jut>51*

1 >703 aw*! operations processed 20 <20 C׳ tcai׳Hgr>1313 Crecol'-.qh)3

Vulnerab ility leve l:

The average vulner abilty le.ei lor ttus sea־nr s 1

Results statistics:

Audit operations processed; Missing scftwaie updates: Other vulnerabilities: Potential vulnerabilities:

4 Scan target: locatbo»t- y) 52 10 0 0 7 IWDI-039MR5II19C4] (WhkJvws .

Scanner ActMty Wkxkm •יז CanptJer *ו CitarW f a : i l i « ! * W VJUH> ra W Jt« !a i K t - n •can n » t41:ate 101 r ״11 r sq v wunr is *lvatd or not found i

----------12- 1

FIGURE 5.7: The GFI LanGuard Custom scan wizard9. To check die Scan Result Overview, click IP a d d re ss of die machiiiein die

right panel

10. It shows die V u ln erab ility A sse ss m e n t and N etw ork & S o ftw are Audit:

click V u ln erab ility A sse ssm e n t

GFI LanGuard 2012

W, Dis c u m tvs vtssaanJ | ^ | Daihboard Sean RnrwUr AdMyMorilor Reports Configuration UtMwsE -PceSe

ocafost v j. . . | |F״IS1״־ * ו *Q i33iT~.it.. Userrvaae: ?a££׳.Crd:Cj־end, bcaec on user II J ••• 1 ___^ ____1

1 Results Details

W»UJ39MRSHL9f4| (Windows Server ?01? 164)] ׳

Vulnerability level:

T►•* corrvwar dues not have a Vuhe'aHty te.el •VII. * :

Y/lttt dim irean?

Possible reasons:

t. Th• •can b not Inched yet2.OsCectbn of missing paiches and vane׳ abiEe* 8 smUta * «ליינ »ca1׳nir a erode used to perform the scan.The credentials used 10 scan this confute ־3 ׳ 0ג not »1: * 9* «cnty ecamer 10 retrieve an required tafomwtion 10• escmatra we Vjheraoity Level An account wth s M ir r a , • :rvjeges or rne target computer B requrM * Certan securty srttnqs on the remote conpuler Dtoct r * access 0( Ite security scanner. Betam s a fart of most

# V a n tn ry t : lornlhost |V |WIW l)J9MIC>Mt9L4l (Window. J] jר־ 1000 - |

« , <1>rrafcj1ty W ^ n rrn t |•־ n Net-war* & Softwire Audit

I

Scaruicr ActMty Window

flteetlKMQL llirvd l (klh•) u..״ M •' ■<V> I Ic— tfiiSldri I ftwwl

FIGURE 5.8: Selecting Vulnerability Assessment option

Types of scans:m

Scan a single computer: Select this option to scan a local host or one specific computer.Scan a range of computers: Select this option to scan a number of computers defined through an IP range.Scan a list of computers: Select this option to import a list of targets from a file or to select targets from a network list.Scan computers in test file: Select this option to scan targets enumerated in a specific text file.Scan a domain or workgroup: Select this option to scan all targets connected to a domain or workgroup.




11. It shows all the V u ln e ra b ility A s s e s s m e n t indicators by categoryV GFI LanGuard 2012 T־־ ^ P x ־

L d > ־» Dashboard Scan Rernediate Activity Men!tor Reports Configuration UUkbes W, Di 8cub8 •»a v«a«on._

la —d i a Merc Scan

Bar Target; »roS»:v || .. . Hi scar- 3 $

c/fomess Jgynang: Password:[amr#y iCQjjetf on user V1 5or

A

Sc4nR*M1ft>0«UNk

Vulnerab ility Assessm ents«tea ene of the folowno wjfcerabilry 01*99'** ייה«*ל

*qn security Vumeratxaties (3)Xbu you to analyze the 1 ״0־ security vjretb i'.a

(6) Jedium Security VulneraNKies■ ^to anajy7e ths rredun !ear ity tfjrerabises ,וגי

(14 Low Security Vulnerabilities . 15iy» the lc« 9eculty׳ycu to a

(1) Potential vulnerabilities . o־־Xb>.s you to a-elvre tiie information security aJ

Ufesing S«1 vtca Packs and Updala RolHipc (1) U>»3vcutoane(yK thcrm eiroiervm pK tsnV m evn

Scmi Rr»ulU Ov*rvt*%»<0 $ u a U r« « t : l1 )u lm lf S IS ItM J(m R-KM M UHUM ](W M tom .

- • Yuhefablty AssessmentA security wirerablof a (3) **־י J l MeCtom Searity Vuherabirtes (6) j , low Searity Viinerablitfes (4J 4 PofanBd Vuherabltea (3) t Meshc service Packs and U3cate =&u>s (1}# Msarvs Security Updates (3)

- _* Hee*ak & Software Ault

thread I (Idle) |Scan Pvead 7 (•is' I 5 u n t1 «: 3 Otfic] Bras

/ 7 During a full scan, GFI LANguard scans target computers to retrieve setup information and identify all security vulnerabilities including:■ Missing Microsoft

updates■ System software

information, including unauthori2ed applications, incorrect antivirus settings and outdated signatures

■ System hardware information, including connected modems and USB devices

FIGURE 5.9: List of Vulnerability Assessment categories12. Click N etw ork & S o ftw are A udit in die right panel, and then click S y ste m

P atch in g S ta tu s , which shows all die system patching statuses

to■ > • 4 - 1C r i LinO uard 2012 1- ״r״1

Dashboard Sran Re״»*Aate Activity Monitor Rrpoits Configuration JMMet <U) ' D iic in tllm vm*an

lau ad ia New Sean

Scar ’ • o e -־ Ho ft*.

1־״' ^ 1- v | •Oafattab: J s e n r e ; P315/.ord:|0 rrentf> og c« or uer ־1 Sari

1 Remits Detais

System Patching StatusSelect one of tte Mtahg system wtchro M U

(1) *Minting Service Packs ■•nit llpduir Rciaup K! server parW r>f»—j i w«־AI3v»1 you to andyM f*r rrs

Mk Missing Security Updates (,J)Alotwt Mu U nWy.'t u!« mistfio mcuICv update I '0 - Jb j■

(16) m Missing Non-Security UpdatesAlan* you to analyie the rwn-security ipaaws rfamssen

(2) J% staled Security Updates nay 2c tJic knitaifed security !edate hfanala■ט ־ A1qt>s you

(1) J% !astaaed Non-Security Updates 5 you to analyze the nstslicd nor-securty״יAlo

SCM R « M b Overview

- 9 Scan tarvet iocalhost- 3 1 8 I M A / [W » 0 3 9 N R S W « 4 ] ( I M l t K - m

S -4 (U־!f(hilY to n T e il* *eh Secvlty V1*1eraMittet (3)X rvfcdun Security VUrtrabilBe• (6)X “Sec יי«־ ' >ty\\1h»ab4U»» (4)X *JnaraMt)•• (ג)t Service Pnrin mi 1t3datr Roittn (1)f •1su1sSeu1UyUl>0at«*(3)I ״ \ftoary. a ftraarc ruOt I

S % Ports U A rtor&Atrc *»- f i Software a system mibnnaaon

Scanner Actmty Wmdow X

Starting security scan of host \VIM.I)MMRSMl«4[10 0.0 T\ g!■nr: IM k U PM

™ 3 «.t :1.0! י'ry Scan thread 1 (idle) S a tllia i IM t:

FIGURE 5.10: System patching status report13. Click Ports, and under diis, click Open T C P Ports

Due to the large amount of information retneved from scanned targets, full scans often tend to be lengthy. It is recommended to run a full scan at least once every 2 weeks.




1- 1■■GF! LanGuard 2012CJ, Uiscuu tins 1Scan Rancdijlr £*!1vty Monitor Reports Corrfigura•> l«- I&

jbcahoK V I ... I |MSw1 י י ו •Oc0en־.dfe. Uenvaae: SasGword:|0xt«rtK ocKcC on us®־ - II 1___ * = ____1

• ft) so iDf*crpno״: Mytxrtrrt trerwfrr Protocol { »sr-wr: http (kt/0er r < ליודז t Tfonjfcr rvotocoOI 9 ״Cwucto- DCC w»i1u) כג5 l ־»sOl)0»׳£ 1 f) ►**CTt*0׳V HMKCR 5M»1׳ S*rM» ! S*׳VCT r « » [n״^ 44J Pfiapton: MooioftOS k tt* Omlav, VNntfcM* V a n fimitw: Lrtnamn]

B £ !027 piMotOor: !r#l»1fo, 1( tM& *e׳ v<e h no* t1׳»Urt(d :*•>*« caJO &• Croj r: Ctandwone, Ditdflpy *rd others / Sev»C s ^ t-.H |Deunpecr: LSASS, If Iha » m « is not ratafc* be-*ae ratfc ;<■ » o w : Ctotafipy Network x, Oath am3 owers / Ser- 9 ::- 2 |C«SObacn: Me Protect. MSrtQ, t te״ 1 V. M >)eic -־ י-» - » * c ro( IrsUltod D*m«r* could ttt trojan: BLA trojan . Se 4׳ « £ l2^l|t«croor:Nfss1i5Jcar1ty5canr*rr/servct:1r*n0M ^9 ^ 1433 [CesccCcr: Microsoft SQL Server database r a a־ j r w : srtscn Server /S«־>ic*: LTknown]

9 sr.Mi f . ר ׳ get־ torn lho\tR •־ : ; 10.0.0.7 |WIN-D39MR5H19C4| (W m dvn _

- • viAwjBMy **OMtwrntJ l (!) «*h Sacuity »\jh*r<t14t(*־ ^ M«Jum Sttuity VllnefdMIUe( « }X Law Seeunty VUnerabttiei (4}^ POCWlOai Viiic'attittet (3)# Moang Service Pocks 0״d tpdstr lo ttos CO# MsangSecuity Updates (3)

B *•ernoHc 81 Software Audit*. ( ( System Patch rg Status333]־

I . Seen HP Para W |•V Coen LC» Ports (5)

I A Hardware .if Software

I I System [nfbmodon

a — er ActKRy YVlndvw

•vl ! ;<*) error*׳.r 50־ | (dp) י nr rad ״y v a n thread 1 (tdlr) So׳ceve׳*»f..<»t*'

FIGURE 5.11: TCP/UDP Ports result

14. Click S y ste m Inform ation in die light side panel; it shows all die details of die system information

m A custom scan is a network audit based on parameters, which you configure on the fly before launching the scanning process.Vanous parameters can be customized during this type of scan, including:■ Type of scanning profile

(Le., the type of checks to execute/type of data to retrieve)

■ Scan targets■ Logon credentials

15. Click P a ssw o rd Po licy

r־־° n nGH LanGuard 2012

E B > 1 4 - 1 Dathboaid Scan fn m i j l r Act*«y Monitor Reports C orriiguratioo Ualiwt W. 1)1*1 lew •«« vnun

launch a Mew sean

ScarTarget P0.־«t:ocaKx: v |... I (׳SjIScan 3 •

&ederate: ?aaiwd:Z~M~CTt, bcced on toe־ V 1 U1J 1__

Scaf 0 0 כפ .-.

Scan R rta tf Overview Scan le a k ! Deta lieJ *־*׳!run poaawd length: 0 charsJ Vaxnuri EMSSiwrd age: 42daysJ **״!־unoaa'wordsgeiodays J ! f a s «p ff r m force J >Mgw0rfl mtary: noh ׳ ttay

% open IX P Ports (5)Sf A r1ard*«e ׳ ־1־ 50* fr»ane

| Systsn Infer׳TMharja 9ki\׳. W, |l HW.\fxC. !■■>>•>1• S«r.c1ll> Audit Policy (OtO

Wf Re0**vft Net&OS Mao*3) ״ )% Computettj| 610Lpt (28)& Users (4)•!_ Logged Cn Users (11)^ Sesscre (2)% J<rvcc5 {148}■U Processes (76), Remote TOO (Tme Of Oay)

Scanner AcUv«y Window

׳ ••־ ״ I I >«- ׳ V ־n thn-rtd I (Klfc•) ScantheflUC*) i f<* 41״1 ! ׳' ' ’A) I י י ׳ "'

FIGURE 5.12 Information of Password Pohcy16. Click G roups: it shows all die groups present in die system

L_J The next job after anetwork security scan is to identify which areas and systems require your immediate attention. Do this by analyzing and correctly interpreting the information collected and generated during a network security scan.




׳ר -T o -GFI LanGuard 2012U19CUB3 Ultt VWttKJR—Dashboard Sun ftftnca&e Actmrty Monitor Reports Configuration>־ *

v l W **Scan HCr M erest -igemane: Password:[cuT€r*f eooed cn user *1

■ cc ':e ra

Sc*• RevuJU DeUikControl AucUat* Cws abx 1

* P n t ta w i 0*Ji.s 0u«1»to1׳cmfcw aw# dccm wraO (V'tey jMו ויו ->׳ ו׳ CfctrtutedCCMUser*&*nt Log Straefcrs GuestsK>pe׳ V Adrritstrators

E5JUSRSr.etY>=׳< Ccnfig.rstcn Cp־rators Psrfertrsnce Log UsersPr־fty1r 5rcc '\r ~a usersPM^lSers**?OperatorsRES Ehdpcut ServersPCS Manage ״»ent s « vers

* tt ■ ft • ft• X• a• a י a• a• a יי a• a ״-a• a• a » a• « ז a

1 R«f»*lt» Overview% C0«nUOPPwts(5)

r A Hentesrc• . 1 Soffaart• ^ Symrm tnk׳m»t»n

*k SN r~W-4* Pd«wo1׳ ) Pdiy

- i» Sxunty Ault Pokey (Off) # lUotetry ־f t NetflCCS Narres (3)% Computer l*i groups (2a) II W4}•?. -OXfC 0״ users (1 נ)% S«ss»ns (2)% 5«14) 8»:*לa)Ht ®rocrase* (76)

(Of 0»y מיוחן en»te too ג

W w r t * ״ - . S*rf« 1 l1f1 .nl 1 (tdl•׳) | Scan tfve*0 ? frt*) *r«*d S *fe) | & u « |

FIGURE 5.13: Information of Groups17. Click die D ashboard tab: it shows all the scanned network information

1 °n ^ GFI LanGuard 2012׳

I Dashboardl Sun Km•*•(• Activity Monitor Reports Configuration UUkbe; ־./זי OitcuMlna vwawn.-

! t f# \'i\ ^ 4 V fei v (1 * t *JC emctm •w«v ViAirrnhlfces Pale►** ► aH SdNiare

> «- I q ״5

Gmp

Entire N etw ork -1 com pute r

Security Seniorswnwarn iwuw•1 o0 c«XT־|H1tcrs ^ !K-p-w ז 0 coneuteis

Service Packs and U- Lratra-onied Aco*c Malware Protection ...כ O cjOaxrputers C co־pu־crj computers ו

VulncraWWies _ Ault SMTUt : _ Agent Hemtn IssuesI o •1 co״pot«r9 «י״יד» ! 0 j 0 C0npu18C8

r S \Most Mrarane cawoJSfS

V. SC3y׳ ^ L 3 6 4

,AiirraNity Trend Owe' tme

fu tM By Gperatng System־o:

oComputes S ■ O0«ath■ ■. | Compjters By rfeUai... |

Computer V14>erabfey CBtnbuliviw

1*aer*Stofcg|\>3tStafcg|

it 6mel1n*orkf j UKJ»-c«t: ttlh-03»Ma.5rt.4£-»

<ucj1!)<»w>:y10«j<1iR<x1^' ־

Maraqe saerts *41 •»?i ■.KTJlii...

Sc-=r a d rsfrar. !TfaraaLgi p.gyyZjHar- scan...Sec :ppdy-.ai - Cpm:-jr_

FIGURE 5.14: scanned report of the netvrork

L a b A n a ly s is

Dociunent all die results, direats, and vulnerabilities discovered during die scanning and auditing process.

m A high vulnerability level is the result of vulnerabilities or missing patches whose average severity is categorized as high.

A scheduled scan is a network audit scheduled to run automatically on a specific date/time and at a specific frequency. Scheduled scans can be set to execute once or periodically.

m It is recommended to use scheduled scans:■ To perform

periodical/regular network vulnerability scans automatically and using the same scanning profiles and parameters

• To tngger scansautomatically after office hours and to generate alerts and auto- distribution of scan results via email

■ To automatically trigger auto-remediation options, (e.g., Auto download and deploy missing updates)





Vulnerability Level

Vulnerable Assessment

System Patching Status

Scan Results Details for Open TCP Ports

GFI LanGuard 2012

Scan Results Details for Password Policy

Dashboard - Entire Network■ Vulnerability Level■ Security Sensors■ Most Vulnerable Computers■ Agent Status■ Vulnerability Trend Over Time■ Computer Vulnerability Distribution■ Computers by Operating System


Q u e s t io n s

1. Analyze how GFI LANgtiard products provide protection against a worm.

2. Evaluate under what circumstances GFI LAXguard displays a dialog during patch deployment.

3. Can you change die message displayed when GFI LANguard is performing administrative tasks? If ves, how?


□ Yes 0 No

Platform Supported

0 Classroom 0 iLabs




E x p lo r in g a n d A u d i t i n g a N e t w o r k

U s i n g N m a pN /n a p (Z e n m a p is th e o ff ic ia l A ',m a p G U I) is a f ir e , o p e n s o u rc e (lic e n s e ) u t ilit y fo r

n e tw o rk e x p lo ra tio n a n d s e c u rity a u d itin g .


111 die previous lab you learned to use GFI LanGuard 2012 to scan a network to find out die vulnerability level, system patching status, details for open and closed ports, vulnerable computers, etc. A11 administrator and an attacker can use die same tools to fix or exploit a system. If an attacker gets to know all die information about vulnerable computers, diey will immediately act to compromise diose systems using reconnaissance techniques.

Therefore, as an administrator it is very important for you to patch diose systems after you have determined all die vulnerabilities in a network, before the attacker audits die network to gain vulnerable information.

Also, as an e th ica l h a c k e r and n etw o rk adm in istrato r for your company, your job is to carry out daily security tasks, such as n etw o rk inventory, service upgrade sch e d u le s , and the m onitoring of host or service uptime. So, you will be guided in diis lab to use Nmap to explore and audit a network.


Hie objective of diis lab is to help students learn and understand how to perform a network inventory, manage services and upgrades, schedule network tasks, and monitor host 01 service uptime and downtime.

hi diis lab, you need to:

■ Scan TCP and UDP ports

■ Analyze host details and dieir topology

■ Determine the types of packet filters

I C O N K E Y

Valuableinformation

Test vourknowledge

S Web exercise

ט Workbook review




■ Record and save all scan reports

■ Compare saved results for suspicious ports


To perform die lab, you need:

■ Nmap located at D :\CEH -Tools\CEH v8 M odule 03 S can n in g

N etw o rks\Scan n ing Tools\N m ap

■ You can also download the latest version of N m ap from the link http: / / nmap.org. /

■ If you decide to download die la te s t v ersio n , dien screenshots shown in die lab might differ

■ A computer running W indow s S e rv e r 2012 as a host machine

■ W indow s S e rv e r 2008 running on a virtual machine as a guest

■ A web browser widi Internet access

■ Administrative privileges to run die Nmap tool


Time: 20 Minutes


Network addresses are scanned to determine:

■ What services a p p lic a t io n n a m e s and v e r s io n s diose hosts offer

■ What operating systems (and OS versions) diey run

■ The type of p a c k e t f ilte rs/ f ire w a lls that are in use and dozens of odier characteristics

/—j T o o ls d em o n strated in th is lab a re av a ilab le in D:\CEH- T o ols\C EH v8 M odule 03 Sca n n in g N etw o rks

.Q Zenmap works on Windows after including Windows 7, and Server 2003/2008.

L a b T a s k s

Follow the wizard-driven installation steps and install Nmap (Zenmap) scanner in die host machine (W indow S e r v e r 2 012).

1. Launch the S ta r t menu by hovering die mouse cursor in the lower-left corner of the desktop

TASK 1In ten se S c a n

FIGURE 6.1: Windows Server 2012—Desktop view



2. Click the N m ap -Z en m ap G U I app to open the Z e n m a p window


S t 3 f t A d m in is tra to r

ServerManager

WindowsPowrShell

Google Hy^-VManager

Nmap - Zenmap

Sfe m * י וControlPanel

»■vp*vVirtualMachine..

o w

eCommandPrompt

ח*

Frtfo*

©Me sPing HTTPort

iSWM

CWto* K U1

l_ Zenmap file installsthe following files:■ Nmap Core Files■ Nmap Path■ WinPcap 4.1.1■ Network Interface

Import■ Zenmap (GUI frontend)■ Neat (Modern Netcat)■ Ndiff

FIGURE 6.2 Windows Server 2012 - Apps3. The N m ap - Z e n m a p G U I window appears.

! Nmap Syntax: nmap [Scan Type(s)] [Options] {target specification}

FIGURE 6.3: The Zenmap main windcw/ In port scan

techniques, only one 4. Enter the virtual machine W in d o w s S e r v e r 2 0 0 8 IP a d d re s s (10.0.0.4)method may be used at a t!1e j a r ge t: text field. You are performing a network inventory fortime, except that UDP scan r o J.and any one of the the virtual machine (sU־)SCTP scan types (־sY, -sZ)

111 tliis lab, die IP address would be 1 0 .0 .0 .4 ; it will be different from your lab environment

111 the P ro file : text field, select, from the drop-down list, the typ e of

p ro file you want to scan. 111 diis lab, select In te n s e S c a n .

may be combined with any 5.one of the TCP scan types.

6.




7. Click S c a n to start scantling the virtual machine.

- ׳׳ ° r xZenmap

Profile: Intense scan

Scan Io o ls P rofile Help

Target: 110.0.0.4|

Command: nmap -T4 -A -v 10.0.0.4

Ports f Hosts | Topology | Host Details | ScansNmap Outputicc> |H os t! Services

OS < Host

FIGURE 6.4: The Zenmap main window with Target and Profile enteredNmap scans the provided IP address with In te n s e s c a n and displays the s c a n re s u lt below the N m ap O u tp ut tab.

^ ם יז X ן

8.

Z e n m a p

10.0.0.4 ׳י Profile: Intense scan Scan:

Scan Io o ls Erofile Help

Target:

Command: nmap -T4 -A -v 10.C0.4

N n ■ap O utput [ports / Hosts | Topo log) | Host Details | Scans

nmap -T4 •A ■v 10.00.4 ^ | | Details

S t o r t i n g Nmap C .O l ( h t t p : / / n m s p .o r g ) a t 2012 08 24

NSE: Loaded 93 s c r i p t s f o r s c a n n in g .MSE: S c r ip t P re -s c a n n in g .I n i t i a t i n g ARP P in g Scan a t 1 5 :3 5 S c a n n in g 1 0 . 0 .0 . 4 [1 p o r t ]C o m p le te d ARP P in e Scan a t 1 5 :3 5 , 0 .1 7 s e la p s e d (1 t o t a l h o s ts )I n i t i a t i n g P a r a l l e l DNS r e s o lu t io n o f 1 h o s t , a t 1 5 :3 5 C o m p le te d P a r a l l e l DNS r e s o lu t io n o f 1 h o s t , a t 1 5 :3 5 , 0 .5 0 s e la p s e dI n i t i a t i n g SYN S te a l t h Scan a t 1 5 :3 5 S c a n n in g 1 0 . 0 .0 . 4 [1 0 0 0 p o r t s ]D is c o v e re d open p o r t ׳!135 t c p on 1 6 .0 .0 .4D is c o v e re d open p o r t 1 3 9 / tc p on 1 0 .0 .0 .4D is c o v e re d open p o r t ׳4451 t c p on 1 6 .0 .0 .4I n c r e a s in g send d e la y f o r 1 6 .0 .0 .4 f r o « 0 t o dee t צ o 72o u t o f 179 d ro p p e d p ro b e s s in c e l a s t in c re a s e .D is c o v e re d open p o r t 4 9 1 5 2 / tc p on 1 0 .0 .6 .4D is c o v e re d open p o r t 4 9 1 5 4 / tc p on 1 0 .0 .6 .4D is c o v e re d open p o r t 4 9 1 5 3 / tc p on 1 0 .0 .6 .4D is c o v e re d open p o r t 4 9 1 5 6 / tc p on 1 0 .0 .6 .4D is c o v e re d open p o r t 4 9 1 5 5 / tc p on 1 0 .0 .0 .4D is c o v e re d open p o r t 5 3 5 7 / tc p on 1 0 .6 .0 .4

OS < Host

׳ 10.0.0.4 ׳

Filter Hosts

FIGURE 6.5: The Zenmap main window with the Nmap Output tab for Intense Scan9. After the scan is c o m p le te , Nmap shows die scanned results.

While Nmap attempts to produce accurate results, keep in mind that all of its insights are based on packets returned by the target machines or the firewalls in front of them

!S" The six port states recognized by Nmap:■ Open■ Closed■ Filtered■ Unfiltered■ Open | Filtered■ Closed | Unfiltered

Nmap accepts multiple host specifications on the command line, and they don't need to be of the same type.



http://nmsp.org


T= IZ e n m a p

Scan Io o ls £ro file Help

Scan! CancelTarget:

Command: nmap -T4 -A -v 10.C.0.4

Detailsכ י פNm ap O utput | Ports / Hosts | Topo log) J Host Details | Scans

nmap •T4 •A ■v 10.0.0.4

M ic r o s o f t HTTPAPI h t t p d 2 .0

n e tb io s - s s n n c tb io s ssn h t t p

1 3 9 / tc p open 445/tcp open5 3 5 7 / tc p open (SSOP/UPnP)|_http־m«thods: No Allow or Public h«ad«r in OPTIONS re s p o n s e ( s t a tu s code 5 03 )| _ r r t t p - t i t l e : S e r v ic e U n a v a ila b le

ח

M ic r o s o f t W indows RPC M ic r o s o f t W indows RPC M ic r o s o f t W indows RPC M ic r o s o f t W indows RPC M ic r o s o f t W indows RPC

;0 7 :1 0 ( M ic r o s o f t )

4 9 1 5 2 / tc p open 4 9 1 5 3 / tc p open 4 9 1 5 4 / tc p open 4 9 1 5 5 / tc p open 4 9 1 5 6 / tc p open MAC Address: 0(

m srpc m srpc m srpc m srpc m srpc

______________ 1 5 :5D:D e v ic e t y p e : g e n e ra l purpose R u n n in g : M ic r o s o f t WindONS 7 | 2008 OS CPE: c p « : / o : n׳ ic ro s o f t :w in d o w s _ 7 c p e : / o :» ic r o s o f t :w in d o w s _ s e rv e r_ 2 0 0 8 : : s p l0 ל d e t a i l s : M ic r o s o f t W indows 7 o r W indows S e rv e r 2008 SP1 U p tim e g u e s s : 0 .2 5 6 d ays ( s in c e F r i Aug ?4 0 9 :2 7 :4 0 2012)N ttw o rK D is ta n c e ; 1 hopTCP S cuuctice P r e d ic t io n : D i f f i c u l t y - 2 6 3 (O ood lu c k ! )IP IP S equence G e n e ra t io n : In c re m e n ta lS e rv ic e I n f o : OS: W indow s; CPE: c p e : /o :n ic r o s c f t :w in d o w s

OS < Host

׳ 10.0.0.4 ׳

Filter Hosts

FIGURE 6.6: The Zenmap main window with the Nmap Output tab for Intense Scan10. Click the P o rts/H o sts tab to display more information on the scan

results.

11. Nmap also displays die Po rt, P ro to co l, S ta te . S e r v ic e , and V e rs io n ofthe scan.

T ־ TZenmap

Scan Cancel


Target: 10.0.0.4


Nmgp Out p u ( Tu[ . ul ut j y Hu^t Details Sk m :.

M in o a o ft W indows RPCopen rm tpc13S U p

M icroso ft HTTPAPI h ttpd 2.0 (SSD

M icroso ft W indows RPC





netbios-ssn

netbios-ssn

http

msrpc

msrpc

msrpc

msrpc

msrpc

open

open

open

open

open

open

open

open

tcp

tcp

tcp

139

445

5337

49152 tcp

49153 tcp

49154 tcp

49155 tcp

49156 tcp

Services

OS < Host

״״ 10.0.0.4

a The options available to control target selection:■ -iL <inputfilename>■ -1R <num hosts>■ -exclude

<host 1 > [,<host2> [,...]]■ -excludefile

<exclude file>

Q The following options control host discovery:■ -sL (list Scan)■ -sn (No port scan)■ -Pn (No ping)■ ■PS <port list> (TCP

SYN Ping)■ -PA <port list> (TCP

ACK Ping)■ -PU <port list> (UDP

Ping)■ -PY <port list> (SCTP

INTT Ping)■ -PE;-PP;-PM (ICMP

Ping Types)■ -PO <protocol list> (IP

Protocol Ping)■ -PR (ARP Ping)■ —traceroute (Trace path

to host)■ -n (No DNS resolution)■ -R (DNS resolution for

all targets)■ -system-dns (Use

system DNS resolver)■ -dns-servers

< server 1 > [,< server 2 > [,. ..]] (Servers to use for reverse DNS queries)

FIGURE 6.7: The Zenmap main window with the Ports/Hosts tab for Intense Scan



12. Click the T o p o lo g y tab to view Nmap’s topology for the provided IP address in the In te n s e s c a n Profile.

FIGURE 6.8: The Zenmap main window with Topology tab for Intense Scan13. Click the H o st D e ta ils tab to see die details of all hosts discovered

during the intense scan profile.r ^ r ° r * 1Zenmap

Scan Conccl

Scan lo o ls Profile Help

Target: 10.0.0.4


Scan?Hosts || Services I I Nm ap O utput I Porte / H oc tt | Topologyf * Hn^t

O.O.C.4

H Host StatusState: up

Open p o rtc Q

Filtered ports: 0

Closed ports: 991

Scanned ports: 1000

U p tim e : 22151

Last boot: Fri A ug 24 09:27:40 2012

B AddressesIPv4: 10.0.0.4

IPv6: Not available

MAC: 00:15:50:00:07:10

- Operating SystemName: M icroso ft W indows 7 o r W indows Server 2008 SP1

#

Accuracy:

Ports used

OS < Host

־׳- 10.0.0.4

Filter Hosts

FIGURE 6.9: The Zenmap main window with Host Details tab for Intense Scan

7^t By default, Nmap performs a host discovery and then a port scan against each host it determines to be on line.

7 By default, Nmap ׳determines your DNS servers (for rDNS resolution) from your resolv.conf file (UNIX) or the Registry (Win32).




14. Click the S c a n s tab to scan details for provided IP addresses.

1- 1 ° xZ ׳ e n m a p

CancelIntense scanProfile:

Scan Tools Profile Help

Target: 10.0.0.4

Command: nmap •T4 •A -v 100.0.4

Hosts \\ Services | Nm ap O utput J Pcrts.' Hosts | Topology | Host D etail;| S:an;

Status Com׳r»ard

Unsaved nmap -T4-A •v 10.00.4OS < Host

100.04

i f ■ Append Scan » Remove Scan Cancel Scan

FIGURE 6.10: The Zenmap main window with Scan tab for Intense Scan15. Now, click the S e r v ic e s tab located in the right pane of the window.

This tab displays the l i s t of services.

16. Click the http service to list all the HTTP Hostnames/lP a d d r e s s e s .

Ports, and their s t a t e s (Open/Closed).* ־ד י ° Zenmapזמ


Target:

Comman

10.0.0.4 v ] Profile: Intense scan v | Scan | Cancel

d: nmap •T4 -A -v 10.0.0.4 וHosts | Services Nmap Output Ports / Hosts Topology | H octD rtJ iik | S ^ jn t

< Hostname A Port < Protocol « State « Version

i 10.0.04 5357 tcp open M icrosoft HTTPAPI hctpd 2.0 (SSI

<L

Service

msrpc

netb ios55־n

a Nmap offers options for specifying which ports are scanned and whether the scan order is random!2ed or sequential.

a In Nmap, option -p <port ranges> means scan only specified ports.

Q In Nmap, option -F means fast (limited port) scan.

FIGURE 6.11: The Zenmap main window with Services option for Intense Scan




17. Click the m srp c service to list all the Microsoft Windows RPC.

ז1םי ־ x ׳Zenmap

10.0.0.4 י Profile: Intense scan Scan]


Target:


Topology | Host Details ScansPorts / HostsNmap Output

4 Hostname *־ Port < Protocol * State « Version

• 100.0.4 49156 U p open M icrosoft W ind o ro RPC

• 100.0.4 49155 tcp open M icroso ft Windows RPC


• 100.04 49153 tcp open M icroso ft Windows RPC

• 100.04 49152 tcp open M icroso ft Windows RPC


Services

Service

http

netbios-ssn

In Nmap, Option — port-ratio cratioxdedmal number between 0 and 1> means Scans all ports in nmap-services file with a ratio greater than the one given. <ratio> must be between 0.0 and 1.1

FIGURE 6.12 The Zenmap main window with msrpc Service for Intense Scan18. Click the n e tb io s -s sn service to list all NetBIOS hostnames.

TTTZenmap

Scan Cancel

Scan Ic o ls E rofile Help

Target: 10.0.0.4


Topology Host Deoils ScansPorts f HostsNmap Output

open

open

445 tcp

139 tcp

100.0 J 100.0.4

Hosts || Services |

Service

http

msrpc

FIGURE 6.13: The Zenmap main window with netbios-ssn Service for Intense Scan19. X m a s s c a n sends a T C P fram e to a remote device with URG, ACK, RST,

SYN, and FIN flags set. FIN scans only with OS TCP/IP developed

hid In Nmap, Option -r means don't randomi2e ports.

TASK 2X m a s S c a n




according to RFC 793. The current version of Microsoft Windows is not supported.

20. Now, to perform a Xmas Scan, you need to create a new profile. Click P ro file N <־ e w P ro file o r C o m m an d Ctrl+ P

y Xmas scan (-sX) sets ׳the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree.

m The option —max- retries <numtries> specifies the maximum number of port scan proberetransmissions.

21. On the P ro file tab, enter X m a s S c a n in the P ro file n a m e text field.P ro file E d ito r

nmap -T4 -A -v 10.0.0.4

HelpDescription

The description is a fu ll description 0♦ v»hac the scan does, which may be long.

Caned 0 Save Cl a 1yci

Scan | Ping | Scripting | Target | Source[ Othct | Tim ingProfile

XmasScanj

P ro file In fo rm a tio n

Profile name

D *« n ip t10n

m The option -host- timeout <time> gives up on slow target hosts.

FIGURE 6.15: The Zenmap Profile Editor window with the Profile tab

C E H Lab M anual Page 130 Eth ica l Hacking and Countermeasures Copyright © by EC Counc11־A ll Rights Reserved. Reproduction is Strictly Prohibited


22. Click the S c a n tab, and select X m a s T re e s c a n s־) X ) from the T C P

s c a n s : drop-down list.1_T□ ' xP ro file E d ito r

!m a p -T4 -A -v 10.0.0.4

HelpEnable all arf/anced/aggressive options

Enable OS detection (-0 ). version detection (-5V), script scanning (- sCM and traceroute (־־traceroute).

Scan | Ping | Scripting | Target) Source | Other Tim ingProfile

10.00.4

None FINone

ACK scan (-sA)

FIN scan (sF ׳ )

M aimon scan (-sM)

Null scan (-sN)

TCP SYN scan (-5S)

TCP connect >can (־»T)

(sW)־ W indow scan .

| Xmas Tree scan (־sX)

S u n optk>m

Target? (optional):

TCP scan:

Non-TCP scans:

T im ing template:

□ Version detection (-sV)

ח Idle Scan (Zombie) (-si)

□ FTP bounce attack ( (b־

□ Disable reverse DNS resc

ם IPv6 support (■6)

Cancel 0 Save Changes

FIGURE 6.16: The Zenmap Profile Editor window with the Scan tab23. Select N one in die N o n-TC P s c a n s : drop-down list and A g g re s s iv e ־)

T 4 ) in the T im in g te m p la te : list and click S a v e C h a n g e s

־י | ם ^1P ro file F r iito r

nmap •sX •T4 ■A ■v 10.0.0.4

HelpEnable all ad/anced/aggressive options

Enable OS detection (-0 ). version detection (-5V), script scanning (־ s Q and tracerou te(—traceroute).

Ping | Scripting [ Target Source | Other | Tim ingScarProfile

Scan option*

Target? (optional): 1D.0D.4

TCP scan: Xmas Tlee scan (-sX) | v |

Non-TCP scans:

T im ing template:

None [v׳ ]

Aggressive (-T4) [ v |

@ Enable all advanced/aggressve options (-A)

□ Operating system detection (-0)

O Version detection (-sV)

□ Idle Scan (Zombie) ( -51)

□ FTP bounce attack ( (b־

O Disable reverse DNS resolution (־n)

ח IPv6 support (-6)

Cancel 0 Save Changes

FIGURE 6.17: The Zenmap Profile Editor window with the Scan tab24. Enter the IP address in die T a rg e t : field, select the X m a s s c a n opdon

from the P ro file : field and click S c a n .

UDP scan is activated with the -sU option. It can be combined with a TCP scan type such as SYN scan to check both (sS־)protocols during the same run.

Q Nmap detects rate limiting and slows down accordingly to avoid flooding the network with useless packets that the target machine drops.

Q You can speed up your UDP scans by scanning more hosts in parallel, doing a quick scan of just the popular ports first, scanning from behind the firewall, and using ־־ host-timeout to skip slow hosts.



Z e n m a p



Target: 10.0.0.4 | v | Profile- | Xmas Scan | v | |Scan| Cancel |

Command: nmap -sX -T4 -A -v 1 0 0 .0 /

( Hosts || Services | Nm ap O utput P o rts /H o sts | Topology Host Details j Scans

0 5 < Host A V 1 | Details]

Filter Hosts

In Nmap, option -sY (SCTPINIT scan) is often referred to as half-open scanning, because you donft open a full SCTP association. You send an INIT chunk, as if you were going to open a real association and then wait for a response.

FIGURE 6.18: The Zenmap main window with Target and Profile entered25. Nmap scans the target IP address provided and displays results on the

N m ap O u tp ut tab.

izcZ e n m a p

10.0.0.4 v l Profile. Xmas Scan |Scani|

Scan Tools P rofile Help

Target

Command: nmap -sX -T4 -A -v 1 0 0 .0 /

N nap׳ O utput Ports / Hosts | Topology H ost Details | Scans

nmap -sX -T4 -A -v 10.0.0.4

S t a r t in g Nmap 6 .0 1 ( h t t p : / / n m a p . o r g ) a t 2 0 1 2 -0 8 -2 4

N<Fל loaded 93 s c r ip ts fo r scan n in g .NSE: S c r ip t P re -s c a n n in g .I n i t i a t i n g ARP P in g Scan a t 1 6 :2 9 S c a n n in g 1 0 .0 .0 .4 [1 p o r t ]C om p le ted ARP P in g Scan a t 1 6 :2 9 , 0 .1 5 s e la p s e d (1 t o t a l h o s ts )I n i t i a t i n g P a r a l l e l DMS r e s o lu t io n o f 1 h o s t , a t 1 6 :2 9 c o m p le te d P a r a l l e l dns r e s o lu t io n o f l n o s t . a t 1 6 :2 9 , 0 .0 0 s e la p s e dI n i t i a t i n g XMAS Scan a t 1 6 :2 9 S c a n r in g 1 0 .0 .6 .4 [1 0 9 0 p o r t s ]I n c r e a s in g send d e la y f o r 1 0 . 0 .0 . 4 f ro m 0 t o 5 due t o 34 o u t o f 84 d ro p p e d p ro & e s s in c e l a s t in c re a s e .C o m p le te d XMAS Scan a t 1 6 :3 0 , 8 .3 6 s e la p s e d :1 0 0 0 t o t a l p o r ts )Initiating Scrvice scon ot 16:30I n i t i a t i n g OS d e te c t io n ( t r y # 1 ) a g a i r s t 1 0 .0 .0 .4NSE: S c r ip t s c a n n in g 1 0 .0 .0 .4 .I n i t i a t i n g MSE a t 1 6 :3 0 C om p le ted NSE a t 1 6 :3 0 , 0 .0 0 s e la p s e d Nnap scon r e p o r t f o r 1 0 .0 .0 .4 H o s t i s up (0 .e 0 0 2 0 s la t e n c y ) .

ServicesHosts

OS « Host

* 10.0.0.4

£Q! When scanning systems, compliant with this RFC text, any packet not containing SYN, RST, or ACK bits results in a returned RST, if the port is closed, and no response at all, if the port is open.

a The option, -sA (TCP ACK scan) is used to map out firewall rulesets, determining whether they are stateful or not and which ports are filtered.

FIGURE 6.19: The Zenmap main window with the Nmap Output tab26. Click the S e r v ic e s tab located at the right side of die pane. It d is p la y s

all die services of that host.



http://nmap.org


Z־0=1 e n m a p

10.0.0.4 ^ Profile Xmas Scan י ' | | Scan |


Target:

Command: nmap -sX -T4 -A -v 10.0.0.4

Nmap O utput Ports / Hosts | Topology | Host Details | Scans

Detailsnmap -sX T4 -A -v 10.0.0.4

Sח t a r t i n g Nmap 6 .0 1 ( h t t p : / / n m a p . o r g ) a t 2 0 1 2 *0 8 -2 4

: Loaded 03 * c r i p t c f o r s c a n n in g .NSE: S c r ip t P re -s c a n n in g .I n i t i a t i n g ARP P lr g Scan a t 1 6 :2 9S c a n r in g 1 0 . 0 .0 . 4 [1 p o r t ] mC om p le ted ARP P in g Scan a t 1 6 :2 9 , 8 .1 5 s e la p s e d (1 t o t a l h o s ts )I n i t i a t i n g 3a r a l l e l DNS r e s o lu t io n o f 1 h o s t , a t 1 6 :2 9 C om p le ted P a r a l l e l DNS r e s o lu t io n 0-f l n e s t , a t 1 6 :2 9 ,0 .0 0 s e la p s e dI n i t i a t i n g XMAS Scan a t 1 6 :2 9 S c a n r in g 1 0 .0 .0 .4 [1 0 0 0 p o r t s ]I n c r e a s in g send d e la y f o r 1 0 .0 .0 .4 f ro m e t o 5 due t o 34 o u t o f 84 d -o p p e d p ro o e s s in c e l a s t in c re a s e .C o m p le te d XMAS Scan a t 1 6 :3 0 . 8 .3 6 s e la p s e d (1 0 0 0 t o t a l p o r ts )I n i t i a t i n g S e rv ic e scan a t 1 6 :3 0I n i t i a t i n g OS d e te c t io n ( t r y # 1 ) a g a in s t 1 0 .0 .0 .4NSE: S c r ip t s c a n n in g 1 0 . 0 .0 . 4 .I n i t i a t i n g USE a t 1 6 :3 0C om p le ted NSE a t 1 6 :3 0 , 0 .0 0 s e la p s e dNnap scan report for 10.0.0.4H o s t i s up (0 .0 0 0 2 0 s la t e n c y ) . V

Hosts | Services |

FIGURE 6.20: Zenmap Main window with Services Tab27. Null s c a n works only if the operating system’s TCP/IP implementation

is developed according to RFC 793.111 a 111111 scan, attackers send a TCP frame to a remote host with NO Flags.

28. To perform a 111111 scan for a target IP address, create a new profile. Click P ro file N <־ e w P ro file o r C o m m an d C trl+ P

Zenmap

v Scan | Cancel |[ New Prof Je or Command C trkP | nas Scan9 £d it Selected Prof <e Qrl+E

| Hosts || Scrvncct Nmap Output Portj / Hosts | Topology] Ho»t D e ta S c e n t

OS « Host

w 10.0.0.4

FIGURE 6.21: The Zenmap main window with the New Profile or Command option

S T A S K 3

Null S ca n

The option Null Scan (-sN) does not set any bits (TCP flag header is 0).

m The option, -sZ (SCTP COOKIE ECHO scan) is an advance SCTP COOKIE ECHO scan. It takes advantage of the fact that SCTP implementations should silently drop packets containing COOKIE ECHO chunks on open ports but send an ABORT if the port is closed.



http://nmap.org


29. On die P ro file tab, input a profile name N ull S c a n in the P ro file n am e

text field.L ^ IP ro file E d itor

nmap -sX -T4 -A -v 10.0.0.4

HelpProfile name

This is how the profile v/ill be id e n tf ied in the drop-down com bo box in the scan tab.

Profile Scan | Ping | Scripting | Target | Source | Other | Timing^

P ro file In fo rm a tion

Profile name | Null Scanj~~|

Description

a The option, -si <zombiehost>[:<probeport>] (idle scan) is an advanced scan method that allows for a truly blind TCP port scan of the target (meaning no packets are sent to the target from your real IP address). Instead, a unique side-channel attack exploits predictable IP fragmentation ID sequence generation on the zombie host to glean information about the open ports on the target.

FIGURE 622: The Zenmap Profile Editor with the Profile tab30. Click die S c a n tab in the P ro file E d ito r window. Now select the Null

S c a n sN־) ) option from the T C P s c a n : drop-down list.P ro file E d ito r

nmap -6X -T4 -A -v 10.0.0.4

HelpProf le name

This is how the profile w ill be identified n the drop-down com bo box n the scan tab.

Cancel Save Changes

Profile] Scan | p!ng | Scnptm gj larget | Source Jther Timing

Scan options

Targets (optional): 1C.0.0.4

TCP scan: Xmas Tree scan (-sX) | v

Non-TCP scans: None

Tim ing template: ACK seen ( sA)

[Vj Enable all advanced/aggressu FN scan (־sF)

□ Operating system detection (־ M aimon t « n (•?M)

□ Version detection (■sV) Null scan (•sN)

(71 Idle Scan (Zombie) (•si) TCP SYN scan(-sS)

O FTP bounce attack (-b) TCP connect scan (־sT)

(71 Disable reverse DNSresolutior Win cow scan (־ sW)

1 1 IPy 6 support (-6) Xmas Tree !can (-sX)

FIGURE 6.23: The Zenmap Profile Editor with the Scan tab31. Select N one from the N o n-TC P s c a n s : drop-down field and select

A g g re ss iv e (-T4) from the T im in g te m p la te : drop-down field.

32. Click S a v e C h a n g e s to save the newly created profile.

m The option, -b <FTP relay host> (FTP bounce scan) allows a user to connect to one FTP server, and then ask that files be sent to a third-party server. Such a feature is ripe for abuse on many levels, so most servers have ceased supporting it.

The option, -r (Don't randomize ports): By default, Nmap randomizes the scanned port order (except that certain commonly accessible ports are moved near the beginning for efficiency reasons). This randomization is normally desirable, but you can specify -r for sequential (sorted from lowest to highest) port scanning instead.




' - I T - 'P ro file E d ito r

|Scan[

HelpDisable reverse DNS resolution

N e\er do reverse DNS. This can slash scanning times.

£oncel E r j Save Change*

nmap -sN -sX -74 -A -v 10.0.0.4

Profile Scan P ing | Scripting | Target | S o iree [ C thci | Timing

Scan options

Targets (opbonal): 10.0.04

TCP scan: N u l scan (•sN) V

Non-TCP scans: None V

Tim ing template: Aggressive (-T4) V

C Operating system detection (-0 )

[ Z Version detection (-5V)

I Idle Scan (Zombie) (-si)

Q FTP bounce attack (-b)

I ! Disable reverse DNS resolution (-n)

□ IPv6 support (-6)

FIGURE 6.24: The Zenmap Profile Editor with the Scan tab33. 111 the main window of Zenmap, enter die ta rg e t IP a d d r e s s to scan,

select the Null S c a n profile from the P ro file drop-down list, and then click S c a n .

In Nmap, option — version-all (Try every single probe) is an alias for -- version-intensity 9, ensuring that every single probe is attempted against each port.

m The option,-־top- ports <n> scans the <n> highest-ratio ports found in the nmap-services file. <n> must be 1 or greater.

Zenmap

Null ScanP ro f 1י•:

Scfln Io o ls Erofile Help

Target | 10.0.0.4

Command: nmap -sN •sX •T4 -A *v 10.00.4

Topology | Host Detais ( ScansPorts / HostsNm ap O u tp jtServicesHosts

< Port < P rctoccl < State < Service < VersionOS < Host

*U 10.00.4

Filter Hosts

Q The option -sR (RPC scan), method works in conjunction with the various port scan methods of Nmap. It takes all the TCP/UDP ports found open and floods them with SunRPC program NULL commands in an attempt to determine whether they are RPC ports, and if so, what program and version number they serve up.

FIGURE 6.25: The Zenmap main window with Target and Profile entered34. Nmap scans the target IP address provided and displays results in N m ap

O u tp ut tab.




B Q uZenmapScan Tools Profile Help

Scan! Cancelv Profile: Null ScanTarget 10.0.0.4

Command: nmap -sN -T4 -A -v 10.C.0.4

DetailsפןNm ap O utput | P o rts / Hosts ] Topology [ H ost Details | ScansServicesHosts

nmap -sN •T4 • A -v 10.0.04

חOS < Host

IM 10.00.4S t a r t in g Mmap 6 .0 1 ( h t t p : / / n 1ra p .o r g ) a t 2012 0 8 24

N S t: Loaded 93 s c r i p t s f o r s c a n n in g .NSE: S c r ip t P re -s c a n n in g .I n i t i a t i n g ARP P in g Scan a t 1 6 :4 7 S c a n n in g 1 0 .6 .0 .4 [1 p o r t ]C o n p le te d ARP P in g Scan a t 1 6 :4 7 , 0 .1 4 s e la p s e c (1 t o t a lh o s ts )I n i t i a t i n g P a r a l l e l DNS r e s o lu t io n o f 1 h o s t . 2t 1 5 :4 7 C o n p le te d P a r a l l e l DNS r e s o lu t io n o-F 1 h o s t , a t 1 6 :4 7 , 0 .2 8 s e la p s e di n i t i a t i n g n u l l scan a t 1 6 :4 7 S c a n n in g 1 0 .0 .0 .4 [1 0 0 0 p o r t s ]I n c r e a s in g send d e la y f o r 1 0 .0 .0 .4 -from 0 t o 5 due t o 68 o u t o f 169 d ro p p e d p ro b e s s in c e l a s t in c re a s e .C o n p le te d NULL Scan a t 1 6 :4 7 , 7 .7 B s e la p s e d (1 0 0 0 t o t a l p o r t s )I n i t i a t i n g S e r v ic e scan a t 1 6 :4 7I n i t i a t i n g OS d e t e c t io n ( t r y * l ) a g a in s t 1 0 .0 .0 .4NSE: S c r ip t s c a n n in g 1 0 . 0 .0 . 4 .I n i t i a t i n g NSE a t 1 6 :4 7 C o n p le te d NSE a t 1 6 :4 7 , 0 .0 0 s e la D s e c Nmap scan r e p o r t f o r 1 0 .0 .0 .4 H o s t i s up ( 0 . 000068s la t e n c y ) .

Filter Hosts

FIGURE 6.26: The Zenmap main window with the Xmap Output tab35. Click the H o st D e ta ils tab to view the details of hosts, such as H o st

S ta tu s , A d d re s s e s . O pen P o rts , and C lo s e d P o rts

׳ - [ n r x 'Zenmap

CancelNull ScanProfile:

Scan Tools £ ro fle Help

Target 10.0.0.4

Command: nmap -sN -T4 •A -v 10.0.0.4

N m ap O utput | P o r ts / Hosts | Topology Host Details | ScansSen/icesHosts

- 10.0.0.4!

i eB Host Status

State: up

Open ports: 0

ports: 0

Closed ports: 1000

Scanned ports: 1000

Up tir re : Not available

Last boot: Not available

S AddressesIPv4: 10.0.0.4

IPv6: Not available

MAC: 00:15:5D:00:07:10

• C om m ents

OS « Host

* 10.0.0.4

Filter Hosts

FIGURE 627: The Zenmap main window with the Host Details tab36. Attackers send an A C K probe packet with a random sequence number.

No response means the port is filtered and an R S T response means die port is not filtered.

The option -version- trace (Trace version scan activity) causes Nmap to pnnt out extensive debugging info about what version scanning is doing. It is a subset of what you get with —packet-trace,

T A S K 4

A C K Flag S ca n


http://n1rap.org


37. To perform an A C K F la g S c a n for a target IP address, create a new profile. Click P ro file N <־ e w P ro file o r C o m m an d Ctrl+ P .

! ^□T

0 E

Zenmap

Ctrl+Efj?l Edit Selected Profile Command: !!m op ■v» ■ n* ־** •v

Porte / Ho«t« Topology | H o d Details J ScantN m ip O jtp u t

4 Po t׳ 4 Protocol 4 S ta tt 4 Service 4 Version

Services ]Host*OS 4 Host

IM 10.0.0.4

Filter Hosts

m The script: —script- updatedb option updates the script database found in scripts/script.db, which is used by Nmap to determine the available default scripts and categories. It is necessary to update the database only if you have added or removed NSE scripts from the default scripts directory or if you have changed the categories of any script. This option is generally used by itself: nmap ־־ script-updatedb.

FIGURE 6.28: The Zenmap main window with the New Profile or Command option38. On the P ro file tab, input A C K F lag S c a n in the P ro file n a m e text field.

r־ a nP ro file E d ito r

nmap -sN -T4 -A -v 10.0.0.4

HelpDescription

The descrption is a fu ll description o f what the scan does, which may be long.

£ancel 0 Save Changes

TimingProfile [scan | Ping | Scripting | Target | Soiree[ Cthei |

P ro file In fo rm a tion

Profile name |ACK PagScanj

Description

FIGURE 6.29: The Zenmap Profile Editor Window with the Profile tab39. To select the parameters for an ACK scan, click the S c a n tab in die

P ro file E d ito r window, select A C K s c a n sA־) ) from the N o n-TC P

s c a n s : drop-down list, and select N one for all die other fields but leave the T a rg e ts : field empty.

The options: ״min- parallelism <numprobes>; -max-parallelism <numprobes> (Adjust probe parallelization) control the total number of probes that may be outstanding for a host group. They are used for port scanning and host discovery. By default, Nmap calculates an ever- changing ideal parallelism based on network performance.




! x ׳ - ! □ Profile Editorי

[ScanJ

HelpEnable all advanced, aggressive optionsEnable OS detection (-0 ), version detection (-5V), script scanning (■ sC), and traceroute (־־ttaceroute).

£ancel Q Save Changes

nmap -sA -sW -T4 -A -v 10.0.0.4

Profile | Scan Ping Scnpting T 3rg=t Source Other Tim ing

Scan options

Targets (optional): 1 0 0 0 4

TCP scan: ACK scan (־sA) | v |

Non-TCP scans: None

Tim ing template: ACK scan( sA)

[34 Enable all advanced/aggressi\ FIN scan (-sF)

□ Operating system detection (- M aim on scan (-sM)

□ Version detection (-5V) Null scan (-sNl

O Idle Scan (Zombie) (־si) TCP SYN scan (-5S)

□ FTP bounce attack (־b) TCP connect scan (-sT)

f l Disable reverse DNS resolutior Vbincov\ scan (-sW)

1 1 IPv6 support (-6) Xmas Tree scan (-5X)

The option: —min-rtt- timeout <time>, --max-rtt- timeout <time>, —initial- rtt-timeout <t1me> (Adjust probe timeouts). Nmap maintains a running timeout value for determining how long it waits for a probe response before giving up or retransmitting the probe. This is calculated based on the response times of previous probes.

FIGURE 6.30: The Zenmap Profile Editor window with the Scan tab

4 0 . N o w c l ic k t h e Ping t a b a n d c h e c k IPProto probes (־PO) to p r o b e th e I P

a d d r e s s , a n d t h e n c l ic k Save Changes.

Profile Editor

[Scan]nmap -sA -sNJ -T4 -A -v -PO 100.0.4

HelpICMP tim«£tamp r#qu*:tSend an ICMP tim estam p probe to see i targets are up.

Profile Scan Ping Scnpting| Target | Source j Other Timing

Ping options

□ Don't p ing before scanning (־Pn)

I I ICMP ping (־PE)

Q ICMP tim estam p request (-PP)

I I ICMP netmask request [-PM)

□ ACK ping (-PA)

□ SYN ping (-PS)

Q UDP probes (-PU)

0 jlPProto prcb«s (-PO)i

( J SCTP INIT ping probes (-PY)

Cancel Save Changes

G The Option: -max- retries <numtries> (Specify the maximum number of port scan probe retransmissions). When Nmap receives no response to a port scan probe, it can mean the port is filtered.Or maybe the probe or response was simply lost on the network.

FIGURE 6.31: The Zenmap Profile Editor window with the Ping tab

4 1 . 111 th e Zenmap m a in w in d o w , i n p u t d i e I P a d d r e s s o f t h e t a r g e t

m a c h i n e ( in d i i s L a b : 10.0.0.3), s e le c t ACK Flag Scan f r o m Profile: d r o p - d o w n lis t , a n d t h e n c lic k Scan.

Ethical Hacking and Countermeasures Copyright O by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited

CEH Lab Manual Page 138


£ 3 The option: -־host- timeout <time> (Give up on slow target hosts). Some hosts simply take a long time to scan. This may be due to poody performing or unreliable networking hardware or software, packet rate limiting, or a restrictive firewall. The slowest few percent of the scanned hosts can eat up a majority of the scan time.

4 2 . N m a p s c a n s d i e t a r g e t I P a d d r e s s p r o v i d e d a n d d is p la y s r e s u l t s o n

Nmap Output ta b .

The option: —scan- delay <time>; --max-scan- delay <time> (Adjust delay between probes) .This option causes Nmap to wait at least the given amount of time between each probe it sends to a given host. This is particularly useful in the case of rate limiting.

4 3 . T o v ie w m o r e d e ta i ls r e g a r d in g th e h o s t s , c l ic k d i e Host Details t a b

X Zenmaprן CancelACK Flag ScanProfile:

Sc$n Tools £ ro f le Help

Target: 10.0.0.4

Command: nmap -sA -P 0 1C.0.0.4

ScansHost Details

Details

Nm ap O utput j P o rts /H o s ts [ Topology

nmap -sA -PO 10D.0.4

S t a r t i n g ^map 6 .0 1 ( h t tp :/ / n m a p .o r g ) a t 2012-08-24 1 7 :0 3India Standard TineNmap s c a n r e p o r t f o r 1 0 .0 .0 .4Host is u9 (0.00000301 latency).A ll 1000 scanned ports on 10.0.0.4 are unfiltered WAC A d d re s s : 3 0 :1 5 :5 0 :0 0 :0 7 :1 0 ( M i c r o s o f t )

Nmap d o n e : 1 I P a d d re s s (1 h o s t u p ) s c a n n e c i n 7 .5 7 s e co n d s

Sen/icesHosts

OS < Host

* 10.0.0.4

Filter Hosts

FIGURE 6.33: The Zenmap main window with the Nmap Output tab

Zenmap־ם

CancelScanפבACK Flag Scanv Profile:


Target: 10.0.0.4

Command: nmap -sA -PO 10.0.0.4

Ports / Hosts I T o p o lo g y ] Host Details Scans JNmap O utput

D eta ils

Hosts Services

Filter Hosts

FIGURE 6.32: The Zenmap main window with the Target and Profile entered



http://nmap.org


Zenmap

Scan Cancel[~v~| Profile: ACK Flag Scan


Target: 10.0.0.4

Com m and: nmap -sA -P O !0.0.04

ScansH ostD eta lsHosts || Services | Nm ap O utput J Ports / Hosts J Topology

־ ;10.0.04

IS5 Host Status

StateOpen portc:

Filtered ports:

Closed ports:

Seam ed ports: 1000

U p t im e N o t available

Last b o o t N o t available

B AddressesIPv4: 1a0.0.4

IPv6: Not available

MAC: 0Q15:50:00:07:10

♦ Comments

OS « Host

* 10.0.0.4

Filter Hosts

Q The option: —min- rate <number>; —max-rate < number> (Directly control the scanning rate). Nmap's dynamic timing does a good job of finding an appropriate speed at which to scan. Sometimes, however, you may happen to know an appropriate scanning rate for a network, or you may have to guarantee that a scan finishes by a certain time.

FIGURE 6.34: The Zenmap main window with the Host Details tab

L a b A n a ly s is

D o c u m e n t all d ie I P a d d re s s e s , o p e n a n d c lo s e d p o r t s , s e n d e e s , a n d p r o to c o ls y o u

d is c o v e re d d u r in g d ie lab .

T o o l / U t i l i t y I n f o r m a t i o n C o l l e c t e d / O b j e c t i v e s A c h i e v e d

T y p e s o f S c a n u s e d :

■ I n t e n s e s c a n

■ X m a s s c a n

י N u l l s c a n

■ A C K F la g s c a n

I n t e n s e S c a n — N m a p O u t p u t

■ A R P P in g S c a n - 1 h o s t

■ P a ra l le l D N S r e s o lu t i o n o f 1 h o s t

N m a p ■ S Y N S te a l th S c a n

• D i s c o v e r e d o p e n p o r t o n 1 0 .0 .0 .4

o 1 3 5 / t c p , 1 3 9 / tc p , 4 4 5 / tc p , . . .

■ M A C A d d r e s s

■ O p e r a t i n g S y s te m D e ta i l s

■ U p t im e G u e s s

■ N e t w o r k D is t a n c e

■ T C P S e q u e n c e P r e d i c t i o n

■ I P I D S e q u e n c e G e n e r a t i o n

■ S e rv ic e I n f o

CEH Lab Manual Page 140 Ethical Hacking and Countermeasures Copyright © by EC־CoundlAll Rights Reserved. Reproduction is Strictly Prohibited


YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TOTHIS LAB.

Q u e s t io n s

1. A n a ly z e a n d e v a lu a te th e r e s u lts b y s c a n n in g a ta rg e t n e tw o r k u s in g ;

a. S te a l th S c a n ( H a lf -o p e n S can )

b . n m a p - P

2 . P e r f o r m In v e r s e T C P F la g S c a n n in g a n d a n a ly z e h o s t s a n d se rv ic e s f o r a

ta r g e t m a c h in e i n d ie n e tw o rk .

I n t e r n e t C o n n e c t i o n R e q u i r e d

□ Y e s

P l a t f o r m S u p p o r t e d

0 C l a s s r o o m

0 N o

0 iL a b s

Ethical Hacking and Countermeasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.



Scanning a Network Using the NetScan Tools ProNetScanTools Pro is an integrated collection of internet information gathering and netirork troubleshooting utilitiesforNehrork P/vfessionals.L a b S c e n a r io

Y o u h a v e a lr e a d y n o t ic e d i n d ie p r e v io u s la b h o w y o u c a n g a d ie r in f o r m a t io n s u c h

as A R P p in g s c a n , M A C a d d re s s , o p e r a t in g s y s te m d e ta ils , I P I D s e q u e n c e

g e n e ra t io n , se rv ic e in f o , e tc . d i r o u g h Intense Scan. Xmas Scan. Null Scan a n d

ACK Flag Scan 111 N m a p . A 1 1 a t ta c k e r c a n s im p ly s c a n a ta r g e t w id io u t s e n d in g a s in g le p a c k e t to th e ta r g e t f r o m th e i r o w n I P a d d re s s ; in s te a d , d ie y u s e a zombie host to p e r f o r m th e s c a n re m o te ly a n d i f a n intrusion detection report is

g e n e ra te d , i t w ill d is p la y d ie I P o f d ie z o m b ie h o s t a s a n a tta c k e r . A tta c k e r s c a n

ea s ily k n o w h o w m a n y p a c k e ts h a v e b e e n s e n t s in c e d ie la s t p r o b e b y c h e c k in g d ie

I P p a c k e t fragment identification number ( IP ID ) .

A s a n e x p e r t p e n e t r a t i o n te s te r , y o u s h o u ld b e a b le to d e te r m in e w h e d ie r a T C P

p o r t is o p e n to s e n d a SYN ( s e s s io n e s ta b l is h m e n t) p a c k e t to th e p o r t . T h e ta r g e t

m a c h in e w ill r e s p o n d w id i a SYN ACK ( s e s s io n r e q u e s t a c k n o w le d g e m e n t) p a c k e t i f d ie p o r t is o p e n a n d RST (re se t) i f d ie p o r t is c lo s e d a n d b e p r e p a r e d to b lo c k a n y

s u c h a tta c k s 0 1 1 th e n e tw o r k

111 d iis la b y o u w ill le a r n to s c a n a n e tw o r k u s in g NetScan Tools Pro. Y o u a ls o n e e d

to d is c o v e r n e tw o rk , g a d ie r in f o r m a t io n a b o u t I n t e r n e t o r lo c a l L A N n e tw o r k

d e v ic e s , I P a d d re s s e s , d o m a in s , d e v ic e p o r t s , a n d m a n y o th e r n e tw o r k sp ec ific s .


T h e o b je c t iv e o f d iis la b is a s s is t to t r o u b le s h o o t , d ia g n o s e , m o n i to r , a n d d is c o v e r d e v ic e s 0 1 1 n e tw o rk .

1 1 1 d i is la b , y o u n e e d to :

■ D is c o v e r s I P v 4 / I P v 6 a d d re s s e s , h o s tn a m e s , d o m a in n a m e s , e m a il a d d re s s e s , a n d U R L s

I C O N K E Y

2־ 3 Valuableinformation

Test yourknowledge

ס Web exercise

m Workbook review

D e te c t lo c a l p o r t s





T o p e r f o r m d ie la b , y o u n e e d :

■ N e tS c a n T o o ls P r o lo c a te d a t D:\CEH-Tools\CEHv8 Module 03 Scanning Networks\Scanning Tools\NetScanTools Pro

■ Y o u c a n a ls o d o w n lo a d th e l a t e s t v e r s io n o f NetScan Tools Pro f r o m

th e l in k h t t p : / / w w w . 1 1e t s c a n t o o l s . c o m / n s t p r o m a i 1 1 .h tm l

■ I f y o u d e c id e to d o w n lo a d d ie la te s t v e r s io n , d ie n s c r e e n s h o ts s h o w n in d ie

la b m ig h t d if fe r

■ A c o m p u t e r r u n n in g Windows Server 2012

■ A d m in is t r a t iv e p r iv ile g e s t o r u n d ie NetScan Tools Pro to o l


T im e : 1 0 M in u te s


N e tw o r k s c a n n in g is d ie p ro c e s s o f e x a m in in g d ie activity on a network, w h ic h c a n

in c lu d e m o n i to r in g data flow a s w e ll a s m o n i to r in g d ie functioning o f n e tw o r k

d e v ic e s . N e tw o r k s c a n n in g se rv e s to p r o m o te b o d i d ie security a n d p e r f o r m a n c e

o f a n e tw o rk . N e tw o r k s c a n n in g m a y a lso b e e m p lo y e d f r o m o u ts id e a n e tw o r k in

o rd e r to id e n t ify p o te n t ia l network vulnerabilities.

N e t S c a n T o o l P r o p e r f o r m s th e f o l lo w in g t o n e t w o r k s c a n n in g :

■ Monitoring n e t w o r k d e v ic e s a v a i la b i l i ty

■ Notifies I P a d d r e s s , h o s t n a m e s , d o m a i n n a m e s , a n d p o r t s c a n n in g

L a b T a s k s

In s ta ll N e tS c a n T o o l P r o in y o u r W in d o w S e rv e r 2 0 1 2 .

F o llo w d ie w iz a rd - d r iv e n in s ta l la t io n s te p s a n d in s ta l l NetScan Tool Pro.

1. L a u n c h th e Start m e n u b y h o v e r i n g d ie m o u s e c u r s o r i n t h e lo w e r - l e f t

c o r n e r o f t h e d e s k t o p

'1J#

4 W in d o w s S e r \* f 2012

* taataiermXni faemeCvcidilcOetoceitc EMtuaian copy, luld M>:

FIGURE /.l: Windows Server 2012- Desktop view

2 . C l ic k t h e NetScan Tool Pro a p p t o o p e n t h e NetScan Tool Pro w in d o w

S 7 Tools demonstrated in this lab are available in D:\CEH- Tools\CEHv8 Module 03 Scanning Networks

S T A S K 1Scanning the

Network

^ Active Discovery and Diagnostic Tools that you can use to locate and test devices connected to your network. Active discovery means that we send packets to the devices in order to obtain responses..



http://www.11etscantools.com/nstpromai11.html


Administrator AStart

ServerManager

WindowsPowwShel

GoogfeChrome

HjperVkb-uoa

NetScanT... Pro Demo

h m o וי f*

Q

ControlPan*l

V

Hjrpw-V

Mdchir*.

e('nmittndI't. n.".־

w rr © *I

x-x-ac n20ז2

9

FIGURE 7.2 Windows Server 2012 - Apps

3 . I f y o u a r e u s i n g th e D e m o v e r s io n o f N e tS c a n T o o l s P r o , t h e n c lic k Start the DEMO

4. T h e Open or Create a New Result Database-NetScanTooIs Prow in d o w w ill a p p e a r s ; e n t e r a n e w d a ta b a s e n a m e i n Database Name (enter new name here)

5 . S e t a d e f a u l t d i r e c to r y r e s u l t s f o r d a ta b a s e f i le lo c a t io n , c l ic k Continue

* Open or Create a New Results Database - NetScanTools® Proו

NetScanToote Pro autom abcaly saves results n a d atabase. The database «s requred .

C reate a new Results Database, open a previous R e sd ts Database, or use this softw are r T ra n n g M ode with a temporary Results Database.

Trainrtg Mode Qutdc S״■ ta rt: Press Crea te Training Mode D atabase then press Continue.

D atabase Name (en ter new name here) A N EW Results D atabase w l be autom abcaly prefixed with ,NstProOata-' and w i end with ,.d b ? . No spaces or periods a re allowed when en terng a new database name.

Results Database File Location

Test|

Results D atabase D irectory

C : jJsers\Administrator docum ents

Se lect Another Results Database

C*״ reate Trainmg M ode Database

Se t Default D irectoryProject Name (opbonal)

Analyst Information (opbonal, can be cisplayed r\ reports if desired)

Name Telephone Number

Title Mobile Number

Organization Email Address

Exit Program

Update Analyst In forma bon

ContinueUse Last Results Database

FIGURE 7.3: setting a new database name for XetScan Tools Pro

6 . T h e NetScan Tools Pro m a in w in d o w w ill a p p e a r s a s s h o w i n d ie

f o l lo w in g f ig u re

£L) Database Name be created in the Results Database Directory and it will have NstProData- prefixed and it will have the file extension .db3

i—' USB Version: start the software by locating nstpro.exe on your USB drive ־ it is normally in the /nstpro directory p

Ethical Hacking and Countermeasures Copyright O by EC־Counc11All Rights Reserved. Reproduction is Strictly Prohibited



test • NetScartTools* Pro Demo Version Build 8-17-12 based on version 11.19

file Eflit A«es51b!11ty View IP«6 Help

Wefccrwto NrtScanTooh#f 5 [W o Vbtfen 11 TH1 fattwaiv n a drro ro< k>* •re* t00“i Cut todi hav• nir or luiti Th■ duro M i a be ccn«e>ted to j W vtfden

H m x x d '•on ■hr A Jo i^ e d cr Vtao.a tads cr 1»כ|» groined by fuidian on the kft panel

R03 iso- root carract :־« ta״oet. orwn icon :coa I8!en to net«11k traff c.ttu ; icon tooo ו•®* wf yoj oca sy*em. end groy !con loots contact •hid p51t> w * a w

Fleet ' i t FI '«&, to vie״ C <? a te rg h * local help !ncLdng Gerttirg Suited tfam&xiAutomated too is

M3nu3l loci: 13III

fw orne tools

*LCrre Dtt<ov<r/tools

Pass ׳ve 0 scow 1y ro ois י

o t« ז 0015 P 3 « tt 1*vn toon

tx tm u l >00 is

pro own into

FIGURE 7.4: Main window of NetScan Tools Pro

7 . S e le c t Manual Tools (all) o n th e l e f t p a n e l a n d c l ic k ARP Ping. A

w in d o w w ill a p p e a r s f e w i n f o r m a t i o n a b o u t d i e A R P P in g T o o l .

8. C lic k OK•°־היד - ז

Klrt'iianTooltS Pio ' J

test NetScanToois® Pro Demo Version Build 8 17 12 based on version 11.19File fd it AccettibHity View I M MHp

About the ARP Ping Tool• use rhK tool to חקי*. ' an IPv4 address on your subnet usino ARP packers. »s< it on your

LAN to find the 1a*>:׳'*£ tkne o ' a device to an ARP_REQl)EST jacket evai if 3ie d&r ce s hidden and does not respc *d to ־׳egu a Png.

• ARP Pina require*,ג target IPv4 address on your LAN.• D on 't miss th is special fea tu re in th is tool: Identify duplicate IPv4 address by ‘singing‘ a ssecfic

IPv4 address. I f more th a- Gne Cevice (tw o or rrore MAC addresses} responds, you areshown them a c a dd iea o f each of the deuces.

• D on 't fo rg e t to r!ght d k * in the results for a menu with more options.

D em o I im ita tions.• None.

Automata!! ToolManual Tool( Ml

imARP Scan (MAC Ua

i jCa«h« Fm n itd

♦Co*n«t»o« Monit.

c Tooll

A111 vc Dhiuveiy To׳

Piss ״re Otttovety T«

o n s roots

p3c« t Level root

brcemai toots

Pro 0r3m Into

| (<x Help pres* FI

FIGURE 7.5: Selecting manual tools option

S e le c t th e Send Broadcast ARP, then Unicast ARP r a d io b u t t o n , e n t e r

th e I P a d d r e s s i n Target IPv4 Address, a n d c l ic k Send Arp9 .

— IP version 6 addresses have a different format from IPv4 addresses and they can be much longer or far shorter. IPv6 addresses always contain 2 or more colon characters and never contain periods. Example: 2 0 0 1 :4 8 6 0 :b 0 0 6 :69 ( i p v 6 .g o o g l e .com) o r ::1 ( i n t e r n a l l o o p b a c k a d d r e s s

£ 7 Arp Ping is a useful tool capable of sending ARP packets to a target IP address and it can also search for multiple devices sharing the same IP address on your LAN




s i- test NetScanTools® Pro Demo Version Build 8 17 12 based on version 11.19,״!File Fdit Accessibility View IPv6 Help

A n ® To Automated |

Report?Q Add to Psvorftoc

Send B־ooCC35t ARP, then U itost ARPDupi:a;-5 S-־c מ

(f: 0 0.0 0 Ol FAd*

EO send B-oaCcae: a r p cnly

O Se*th for Dipica te IP Addesoss

U9e ARP Padtets to Pnc an [Pv« adjf c55 on y a rsubnet.

Target IPv4 Aad ettI ndex i p Aaaress mac Address Response Tine (aaeci Type0 10.0.0.1 - •• •* ♦ - cc 0.002649 Broadcast1 < * 10.0.0.1 ־ ♦ cc :.o ::» to Unicast2 10.0.0.1 - - ■+ ce 0.003318 tin Icaat3 10.0.0.1 cc 0.002318 Onieaae4 10.0.0.1 • cc 0.0:69*3 ur. icaa t5 10.0.0.1 - •• — ♦ cc 0.007615 Cr. leastf 10.0.0.1 cc 0.002518 Cr. Icaatל 10.0.0.1 - *• •* <» c r 0.M198C Tin icaat8 • • » • ־ • ♦ ־ ' 10.0.0.1 cc 0.0:165$ Onieaae3 • • • ♦ ♦ 10.0.0.1 - ־ cc 0.0:231.8 Ur. icaa t10 10.0.0.1 cc 0.002649 Unicast11 10.0.0.1 - *• <•> cc 0.0:2649 Unicast12 10.0.0.1 - cc 0.002318 Unicast13 10.0.0.1 ״♦»«•••••• cc 0.002318 Unicast14 10.0.0.1 • cc O.OS2649 Vnicaat15 10.0.0.1 Unicast

iendArcStop

N jrb n to Send

Cyde Tne (ms)

I“00 EJWnPcap Interface P

Autowted Tools ►.lanual Tools lalf)

UARP Ping

y■ an |MA£

uAflP^can |MAC S<»n)

Cache Forensic{

Connwtwn Monitor |v |

Fawortte Tooli

Aa!re DHtovery Tool!

Pj11!x< Oiiovcry Tooli

O t« Tools

P a « « level rools tr tem ji looit

f*־coram Into

FPuiger 7.6: Result of ARP Ping

10. C lic k ARP Scan (MAC Scan) i n t h e l e f t p a n e l . A w in d o w w ill a p p e a r

w i t h i n f o r m a t i o n a b o u t t h e A R P s c a n to o l . C l i c k OK

Q Send Broadcast ARP, and then Unicast ARP - this mode first sends an ARP packet to the IPv4 address using the broadcast ARP MAC address. Once it receives a response, it sends subsequent packets to the responding MAC address. The source IP address is your interface IP as defined in the Local IP selection box

y J ׳׳al Tool! • ARP Pi!

p־•oad castic o s tleasele a s tl e a s eic a s tl e a s tle a s tl e a s t

i c a a t

!e a s t!east

le a s t

icaat

test - NetScanTools® Pro Demo Version Build 8-17-12 based on version 11.19

File Fdit Accessibility View IPv6 Help

About the ARP Scan Tool• Use U ib to o l lo send an ARP RoqiM&t to evury IP v 4 address on your LAN. IPv4 connected

d«vuet csnnothnto f tv r־ ARP 3acfc«C» and mu»t rupond with th • ! IP and MAC a d f ir • * • .• Uncheck w e ResoKr? f>5 box for fssrti scan co׳rp i« o n ome.• Don't Cornet to 1io : d ck n the 1e>ul:s for a menu with moio options.

mo Lim itations. Hone.

Automated Tool

y

ARPStan 1 mac sea

Ca<n« ForcnsKs

Attn* Uncovefy 10׳relive l>K0v»ry l«

H 3«rt level Tool

ש ARP Scan (sometimes called a MAC Scan) sends ARP packets to the range of IPv4 addresses specified by the Start and End IP Address entry boxes. The purpose of this tool is to rapidly sweep your subnet for IPv4 connected devices.

FIGURE 7.7: Selecting ARP Scan (MAC Scan) option

11. E n t e r th e r a n g e o f I P v 4 a d d r e s s i n Starting IPv4 Address a n d Ending IPv4 Address t e x t b o x e s

12. C lic k Do Arp Scan

Ethical Hacking and Countermeasures Copyright O by EC־CoundlAll Rights Reserved. Reproduction is Strictly Prohibited



ar The Connection־Detection tool listens for incoming connections on TCP or UDP ports. It can also listen for ICMP packets. The sources of the incoming connections are shown in the results list and are logged to a SQLite database.

13 . C lic k DHCP Server Discovery i n th e l e f t p a n e l , a w in d o w w ill a p p e a r

w i t h i n f o r m a t i o n a b o u t D H C P S e r v e r D i s c o v e r y T o o l . C lic k OKf*: test - NetScanTods® Pro Demo Version Build 8-17-12 based on version 11.19 ! ־ n ' *

f4 e Ed* Accessibility View IPv6 Help

LJ DHCP is a method of dynamically assigning IP addresses and other network parameter information to network clients from DHCP serv.

FIGURE 7.9: Selecting DHCP Server Discovery Tool Option

14. S e le c t a ll th e Discover Options c h e c k b o x a n d c l ic k Discover DHCP Servers

RPScan IMAC Son,

cry Type localnax le 10.0 .0naxic 10.0.0

Alum! Hit* DHCP Sorv1*f Discovery Tool

• Use Uib 1004 to jitnn iy locate DHCP *ervur* < IP v l only) on your local network. It iho m th«P addr«u and o r« MC'qt ar« b«ng handed out by DHCP wwao. Ih it too! an aw find unknown or rooue' DHO3 swverj.

• Don't I ot get to right dck n th* results for a menu with more options.

Dano limitations.• None.

Automated loolManual 10011 !all

Cathe Forensic!

♦Connection Monitc

O KPSfw r Oucorc

a-Tools «

JDNS Tools-core

Pnunr DutoveiyTc

P « l r l level Tool External Too 11

test NetScanTools* Pro Demo Version Build 8-17 12based0nvefs»00 11.19־היו“ ־־ יFile Edil Accessibility View IPv6 Help

Manual Too 4 - ARP Scan (MAC Scan) $

adjKocc [ J j p׳ 0 ־ A 1 2 ra a l

I ]AddtsavaKat

Staraic F v4 Accrea־

| :0 . 0&v4ng IPv4 A<*jrc55

E n try Type l>5c•!

d y n a m o 10.0.0dynazdc 1 0 .0 .0

ip v l M . . . W1C Adtireflfl I / r M 4 nur*cf3 rer B c a ta ■ *

1 0 .0 .0 .1 ׳ )0 n e t ; c a r , l a c . 110.0.0.2 EC . &»11 lac vm-MSSCL.

פב

U9e thE tool a fine al active IPv4 d r ie rs oי׳ youi n im -t.

wrtpeap Interfax ipI 10.0.0.7

Scon OSsy Tnc {•>»)

(IZZ₪0 Resolve P s

intonated Toots kUnuai Tools laif)

ARP Ping

can (MAC

uASP Scan (MAC Scan)

Cache forennct

Connection Monitor

Favorite Tools Active OhcC׳vify Tool! Pasiive Ofitovtry Too 11

o m Tools P3<Mt LPV81 Tools

exttmai toon rôoram Into

FIGURE 7.8 Result of ARP Scan (MAC Scan)




Q NetScanner, this is a Ping Scan or Sweep tool. It can optionally attempt to use NetBIOS to gather MAC addresses and Remote Machine Name Tables from Windows targets, translate the responding IP addresses to hostnames, query the target for a subnet mask using ICMP, and use ARP packets to resolve IP address/MAC address associations

FIGURE 7.10: Result of DHCP Server Discovery

15 . C lic k Ping scanner in t h e l e f t p a n e l . A w i n d o w w ill a p p e a r w i th

i n f o r m a t i o n a b o u t P in g S c a n n e r to o l . C lic k OK

£0 Port Scanner is a tool designed to determine which ports on a target computer are active Le. being used by services or daemons.

16. S e le c t t h e Use Default System DNS r a d io b u t t o n , a n d e n t e r t h e r a n g e

o f I P a d d r e s s in Start IP a n d End IP b o x e s

17 . C lic k Start

N«tSunT00i13 P10 S?

test NetScanTools® Pro Demo Version Build 8-17-12 based on version 11.19

About the Ping Scanner (aka NetScanner) lool• use rim rooJ ro pmo .י ranoe or lm of IPv4 addresses. rtv stool shows you cb rompute׳s

are active w tJiir! tr*ranoîi5t(tJ1* hav« to rapond to omo). Uso it *vith *1* u to f Fadflf«s«s. To teeafl ee*׳ces n your subnrt mdudmg trios*blocking ping, you can >10 um ARP Sontool.

• You can ■nport a text lest of IPv4 addresses to pngDon't mres this speaal feature m this took use the Do SMB/NBNS scan כס qg: n«B»S resoonscs fiom unprotected W!ndo*s computers.

• Don't forget td nght didc m the results for a menu with more opaons.

Demo Imitations.• Packet Delay (time between sending each ping) is limited to a lower tamt of SO

iMlBeconds. packet Delay can be as low as zero (0) ms מ the f ill version. In other words, the full version w i be a bit faster.

F8e EdK AtcesiibiRty Vltw IPv6 H«tp

A j.jAICWtKOIM

AUtOIMt«J To Oh MjngjJ T00K (411:

mPng ErV1«K«J

mfir, g - Graphi cal

aPort Scanner

. JP ’oam uoin Mod* *><«

ravontf 001 ז:

Mint Ducoycnr to ׳Paijivt Discovery 10

DNS roouP a a e t i m l tool}

t<tcma! Tools

°rooram inro

FIGURE 7.11: selecting Ping scanner Option

T ~ T n 1 « '

Iy test - NetScanTools* Pro Demo Version Build 8 -17-12 based o r version 11.19

Fnri DHCP Servers an fa r Add ItoieFor Hdo. p׳-e£8 F: IMA ס׳יד״־ג A.־omv־rd

־ ־ ] * ״ * ] *״'° ־Ode or mtrrfacc bdow then crcos Discover QAddtoP®»«nre5

T M A ddress KIC A ddreas I n t « r f « r • D e s c r ip t io n

10.0.0.7 L . Jfc j%־ »v 411 iD Hyper-V V irta • ! Ethernet Adapter #2

Rssordnc DHCP servers

Discover ( X P Server*

Stop

Wat Time (sec)

EHCr Server IP Server Hd3LnoM Offered I? Offered Subnet Mask IP Address Iי 10.0.0.2 10.0.0.1 10.0.0.1 SS.2SS.2SS.0 3 days, 0:0(

DiscouB־ Opttans

׳י H05tn3r1eV Subnet M5*rV׳ Donor ftairc׳י d n s p

׳י Router P

fa*KTP Servers

Aurc mated To 015

Cache F orenwes

B.:nncct on Monitor

DHCP S«1 1 » ׳ Dfccovtry

aTook - !

aDfIS Took - Cote

OWSTools ■Advanced

F־worit« Tools A<tfc« Dii coveiy Tools Paislv* Discovery Tools

DNS Tooll =*>«» t r r t l TooH

W * rnjl Tools P10gr«n into




test - NetScanTools * Pro Demo Version Build 8-17-12 based o r version 11.19---«e 6dK Accessibility View IPv6

Start iP 10.0.0.: ׳י חח Lke Defadt Systen DN5j '•׳|

End JP 10.0.0.S0 - 1*1O Use Specific DNS: 1307.53.8.8 v l l *

AKANrtSeannw □ Add»Po»<nre5

Time (m | Statao0:0 t e a : s c p iv 0:0 tchs toply 0:0 Echs tap ly 0:0 Echs Reply

T a rg e t IP Hostname

10.0.0.1 ? 010.5.0.2 tnK-KSSELOUKU 010.0.0.5 my:-UQM3MRiR«M 01 0 .0 .0 .7 WIN-D39HRSHL9E4 0

Fa Hdp, press F1

0 Resolve TPs

MSttp.0/.25SWl Addtbnal Scan Tests:

1 103 I oca ARP Scat

□D 3S*׳E.fc8\S5car

□ Do Sulnel Mai: Sea־!

EnaSfc Post-ScanM O b lg of

rton-Resso'dn; P s

| irw: »vu«:I Oeof IwpQUr t tn»

Aurc mated To 015

©

J ?Port Scanner

mPro»ucuou5 Mode S<onr

F־r»01 »* Tools Art hit Oil cover? Tools Pais** Discovery Tools

DNS Too 11 S*׳J «I Lcrtl Tool I

M e m * Tools Pfogr•!* info

£Q Traceroute is a tool that shows the route your network packets are taking between your computer and a target host. You can determine the upstream internet provider(s) that service a network connected device.

FIGURE 7.12: Result of sail IP address

18. C lic k Port scanner i n t h e l e f t p a n e l . A w i n d o w w ill a p p e a r w i th

i n f o r m a t i o n a b o u t d i e p o r t s c a n n e r to o l . C lic k OK- _ l n l x ך

unnei/NetSiannei 9

\

test NetScanTod‘ $ Pro Demo Version Build 8-17-12 based on version 11.19F

About the Poit Scanner I oolNEVER SCAN A COMPUTER YOU DO NOT OWN OR HAVE THE OWNER’S PERMISSION TO SCAN.

• use rtm ז ool to scan j taro** for ICP or יוגווו ports that .מור iKrrnang (open wirh senna* fcstenino).

• lypes of scanning supported ruli Connect TCP Scan (see notes below}. U0P port u'reachasle scan, combined tu> ful connect and uop scan, TCP SYN only scan and tcp orrer son.

• Don't miss this special feature in this tool: After a target has bee scanned, an a״alfss .vineow will open in >our Oeh J t web browser.

• Don't forgetמז nght c*<k n we resjits for 3 menu with more options.

Notes: settings that strongly affect scan speed:• Come:San Timeout. use 200 c* less on a fact network correction yjdhneaiby cor״p.te i. - « 3 seconds) or ־ 3003 (

more on a dau: cameao־׳.• Wot After Connect - J i s c-110•• o5 each port test worts before deodng that ih ־׳ ; port is not 5c»»e.• settirxcAXbv settee* ccmccxns. Try 0, (hen (ry lire. Notice the dfference.• SetOnqs ax °«<M ConnectorsDo mo KmlUtlons.• Hone.

F ie Edit Acceuibilrty View IPv6 Helpri 1 h 3■ ב> I Welcome

utwateO Tooli׳,•

M«nu«ITouu lair

noo tnrunced

P nq Scanner

Port Scanner

UP = f»»cu0\j1 Mode ‘

FIGURE 7.13: selecting Port scanner option

19. E n t e r t h e I P A d d r e s s i n t h e Target Hostname or IP Address f ie ld a n d

s e le c t t h e TCP Ports only r a d i o b u t t o n

2 0 . C lic k Scan Range of Ports

Whois is a client utility that acts as an interface to a remote whois server database. This database may contain domain, IP address or AS Number registries that you can access given the correct query




1-1°test - NetScanTools® Pro Demo Version Build 8-17-12 based on version 11.19־ ״ ׳fte Ed* Accessibility View 6י\(ו Help

Manual Fools - Port Scanner ^

I • ■ 'T C P P o r t s IPore Range are! Sarvfcafc

LDP P3te Cny AnpTO AutOHHted |

O TCP 4UJP Ports ( IO tcpsynOlCPaMM □^toônt•

Start 1

B'd fa

T3r0ut HKTSire 3r P A:d־£S3

I 10.0-0 1 IWARNING: the- tod scan? r * rargrfr- ports.

Scan C irp lrtr.

Show Al S anr«d Ports, Actlvi 0! Not

P o r t P o r t Dvac P ro to c o l R r» u lt» O at• ft• » .v » d

80 h te p TCP P o r t A c tiv e

R.anoc of ! v s ״Sea

St * י Comnon Path

| E d tcon w ■ Part{ Let

MrPasp :-ir-âcr ־:10.D.0.Comect T rcout ( 100D = !second]

:watAfte'Conncc (ICOO -1 s*aofl

:

FIGURE 7.14: Result of Port scanner

Automated Tool?

Manual Toots (alij

m

Poit Scanner

JPro«ucuom Mode ‘

f3vor1t* Tools A<t*׳« Dtscorery Tools Passr* Discovery tools

DNS roois p«*«ttml loon txtemji tools program inro

L a b A n a ly s is

D o c u m e n t a ll d ie I P a d d re s s e s , o p e n a n d c lo s e d p o r t s , se rv ic e s , a n d p r o to c o ls y o u



A R P S c a n R e s u l t s :

■ I P v 4 A d d r e s s

■ M A C A d d r e s s

■ I / F M a n u f a c tu r e r

■ H o s t n a m e

■ E n t r y T y p e

■ L o c a l A d d r e s sN e t S c a n T o o l s

p r o I n f o r m a t i o n f o r D i s c o v e r e d D H C P S e r v e r s :

■ I P v 4 A d d r e s s : 1 0 .0 .0 .7

■ I n t e r f a c e D e s c r i p t i o n : H y p e r - V V i r tu a l

E t h e r n e t A d a p t e r # 2

■ D H C P S e r v e r I P : 1 0 .0 .0 .1

■ S e r v e r H o s t n a m e : 1 0 .0 .0 .1

■ O f f e r e d I P : 1 0 .0 .0 .7

■ O f f e r e d S u b n e t M a s k : 2 5 5 .2 5 5 .2 5 5 .0

Ethical Hacking and Countermeasures Copyright O by EC-CoundlAll Rights Reserved. Reproduction is Strictly Prohibited



YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TOTHIS LAB.

Q u e s t io n s

1. D o e s N e tS c a i i T o o ls P r o s u p p o r t p r o x y se rv e rs o r f irew a lls?


0 N oes□ Y

Platform Supported

0 iLabs0 Classroom




Drawing Network Diagrams Using LANSurveyorl 42\s/nvejor discovers a nehvork andproduces a comprehensive nehvork diagram that integrates OSI Layer 2 and Lajer 3 topology data.L a b S c e n a r io

A il a tta c k e r c a n g a th e r in f o r m a t io n f r o m A R P S c a n , D H C P S e rv e r s , e tc . u s in g

N e tS c a n T o o ls P r o , a s y o u h a v e le a r n e d i n d ie p r e v io u s la b . U s in g d iis in f o r m a t io n

a n a t ta c k e r c a n c o m p r o m is e a D H C P s e rv e r 0 1 1 t h e n e tw o rk ; th e y m ig h t d is r u p t

n e tw o r k s e rv ic e s , p r e v e n t in g D H C P c lie n ts f r o m c o n n e c t in g t o n e tw o r k re s o u rc e s .

B y g a in in g c o n t r o l o f a D H C P s e rv e r , a t ta c k e rs c a n c o n f ig u re D H C P c lie n ts w i th

f r a u d u le n t T C P / I P c o n f ig u ra t io n in f o r m a t io n , in c lu d in g a n in v a l id d e fa u l t g a te w a y

o r D N S s e rv e r c o n f ig u ra t io n .

111 d i is la b , y o u w ill le a r n t o d r a w n e tw o r k d ia g ra m s u s in g L A N S u rv e y o r . T o b e a n

e x p e r t network administrator a n d penetration tester y o u n e e d to d is c o v e r

n e tw o r k to p o lo g y a n d p r o d u c e c o m p r e h e n s iv e n e tw o r k d ia g ra m s f o r d is c o v e re d

n e tw o rk s .


T h e o b je c t iv e o f d iis la b is to h e lp s tu d e n ts d is c o v e r a n d d ia g r a m n e tw o r k to p o lo g y

a n d m a p a d is c o v e re d n e tw o r k

1 1 1 d i is la b , y o u n e e d to :

■ D ra w ’ a m a p s h o w in g d ie lo g ic a l c o n n e c t iv i ty o f y o u r n e tw o r k a n d n a v ig a te

a r o u n d d ie m a p

■ C re a te a r e p o r t d ia t in c lu d e s all y o u r m a n a g e d sw itc h e s a n d h u b s

ICON KEY27 Valuable

information

Test yourknowledge

ס Web exercise

m Workbook review






■ L A N S u r v e y o r lo c a te d a t D:\CEH-Tools\CEHv8 Module 03 Scanning Networks\Network Discovery and Mapping Tools\LANsurveyor

■ Y o u c a n a ls o d o w n lo a d th e l a t e s t v e r s io n o f LANSurveyor f r o m d ie l in k

h t t p : / / w w w .s o la r w i 1 1 d s . c o m /

■ I f y o u d e c id e to d o w n lo a d d ie la te s t v e r s io n , d ie n s c r e e n s h o ts s h o w n i n d ie


■ A c o m p u t e r r u n n in g Windows Server 2012

■ A w e b b r o w s e r w id i I n t e r n e t a c c e s s

■ A d m in is t r a t iv e p riv ile g e s to m i l d ie LANSurveyor to o l



O v e r v ie w o f L A N S u r v e y o r

S o la rW in d s L A N s u r v e y o r a u to m a tic a lly d is c o v e rs y o u r n e tw o r k a n d p r o d u c e s a

c o m p r e h e n s iv e network diagram th a t c a n b e easily e x p o r te d to M ic r o s o f t O f f ic e

V is io . L A N s u r v e y o r a u to m a tic a lly d e te c ts new devices a n d c h a n g e s to network topology. I t s im p lif ie s in v e n to r y m a n a g e m e n t fo r h a rd w a re a n d s o f tw a re a s se ts ,

a d d re s s e s r e p o r t in g n e e d s f o r P C I c o m p l ia n c e a n d o t h e r re g u la to ry re q u ire m e n ts .

L a b T a s k sIn s ta l l L A N S u rv e y o r o n y o u r Windows Server 2012

F o l lo w d ie w iz a rd - d r iv e n in s ta l la t io n s te p s a n d in s ta l l L A N S u rv y o r .

1. L a u n c h th e Start m e n u b y h o v e r i n g d ie m o u s e c u r s o r in t h e lo w e r - le f t

c o r n e r o f t h e d e s k t o p

ZZy Tools demonstrated in this lab are available in D:\CEH- Tools\CEHv8 Module 03 Scanning Networks

TASK 1Draw Network

Diagram

4 Windows Server 2012

* I S M fcnar X ltl (Wmw CjnMditt(*akrtun lopy. lull) •40:

FIGURE 8.1: Windows Server 2012 - Desktop view

2 . C lic k th e LANSurvyor a p p t o o p e n th e LANSurvyor w in d o w

CEH Lab Manual Page 153 Ethical Hacking and Countermeasures Copyright © by EC־CoundlAll Rights Reserved. Reproduction is Strictly Prohibited

http://www.solarwi11ds.com/


Start A d m in istra to r £

S e rw Windows Goo* H»p«V IANmny...M ora le r PowetShd Chrwne 1•■,XU j .

b m o 91 ■

Panal

Q w

e w : a

rwn«t hptom ״ ף l i

MegaPing NMScanL.Pto Demo

* s


3 . R e v ie w th e l im i ta t io n s o f t h e e v a lu a t io n s o f tw a r e a n d t h e n c l ic k

Continue with Evaluation t o c o n t i n u e th e e v a lu a t io n

SolarWן - י םי * יי inds LANsurveyor

TFile Edit Men aye Monitor Report Tods Window Help

s o l a r w i n d s

FIGURE 8.3: LANSurveyor evaluation window

4 . T h e Getting Started with LANsurveyor d ia lo g b o x is d is p la y e d . C lic k Start Scanning Network

Ethical Hacking and Countermeasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited

LANsurveyor's Responder client Manage remote Window’s, Linus, and Mac OS nodes from the LANsurveyor map, including starting and stopping applications and distributing files

^ LANsurveyor uses an almost immeasurable amount of network bandwidth. For each type of discovery method (ICMP Ping, NetBIOS, SIP, etc.)



r Getting Started with LANsurveyor ■ a u

solarw inds7'

V/atch a vdae nt'oto barn more

What you can do with LANsurveyor.

Scan and map Layer 1. 2. 3 network topology

& ] Export maps to Microsoft Vtito » View example mgp

"2 Continuously scan your network automatically

Onca aavod, a I cuatom ׳nap■ a car be uotd m SelarV/nda not/.o׳k and opplcotor

management software, learn more »

» thwack LANsurveyor forumthwack is 8 community site orovidiro SobrtVrds jse s with useful niomaton. toos and vauable reso jrces־

» Qnfcne ManualFor additional hep on using the LAIJsu־veyor read the LANSurveyor Administrator Gude

» Evaluation GuideTha LAMaurvayor Evaiuabon Guida prcvdaa an irtr»d1»cton to LAMaurvayor faaturaa ard ratnicbcna fer nataltng. confgurnj, and jsmg LAHsurveyor.

» SupportTheSohrwinds Supoorl W et»i» offer* a senprehersve set of tool* tc help you nanaoea^d nartaai yo»r SohrWind* appleations v b t tne <]1a w js a i£ .g a 2s , r ic q y y r ty Q vy»t9»». o r Jp o a ic

] [Start Scanrir.g Net a 0*1:I I Don't show agah

FIGURE 8.4: Getting Started with LANSurveyor Wizard

5. T h e Create A Network Map w i n d o w w ill a p p e a r s ; i n o r d e r t o d r a w a n e t w o r k d ia g r a m e n t e r t h e I P a d d r e s s i n Begin Address a n d End Address, a n d c l ic k Start Network Discovery

f i LANsurveyor uses a number of techniques to map managed switch/hub ports to their corresponding IP address nodes. It's important to remember switches and hubs are Layer 2 (Ethernet address) devices that don't have Layer 3 (IP address) information.



־ Create A New Network Mapמ


Netuioik Paraneetr

Hops

Eecin Acdres; E rd Address10.00.1 10.D.0.254Enter Ke>t Address Here

(Folowtrg cuter hopj requires SNMP rouier access!

Rotfers. Switches and □her SNMP Device Dijcovery

■-M* 0 SN M Pvl D*v k #j •• SM M P/I Community Strng(*)

ptfefc private ] =&־=

Q S H W P v2c Devices •• SNMPv2c Community Strngfs)

| pubiu. pmats

□ SNK׳Pv3Devbe5 I SNMPv3 Options..

Other IP Service Dixovery

Ivi lANsuveya Fej pender;

LAN survefor Responder Password:1j P

I I Actve Directory DCs

0 IC M P (P r g )

0N el8 ICS Clwvs

M S P Clients

Mapping Speed

FasterSlower0Configuration M aaperon*

I D iscover Configuafon..S ave 0 Kcovety Conf gw a׳ion.

Start Notv»o*k Dioco/cry| Cored

FIGURE 8.5: New Network Map window

6. T h e e n t e r e d I P a d d r e s s mapping process w ill d is p la y a s s h o w n i n t h e f o l lo w in g f ig u re

Mapping Progress

Searching for P nodes

HopO: 10.0.0.1-10.0.0.254

Last Node Contacted:

WIN-D39M R5H L9E 4

SNMP Sends SNMP R ecess: ICMP Ping Sends: ICMP Receipts Subnets Mapped Nodes Mapped Routers Mapped Switches Mapped

Cancel

FIGURE 8.6: Mapping progress window

7 . LANsurveyor d is p la y s d i e m a p o f y o u r n e t w o r k

— LANsurveyor's network discovery discovers aU network nodes, regardless of whether they are end nodes, routers, switches or any other node with an IP address

03 LANsurveyor rs capable of discovering and mappmg multiple VLANs on Layer 2. For example, to map a switch connecting multiple, non- consecutive VLANs




SclaAVinds LANsurveyor - [M ap 1] | ^ = X

■ Me Edit Manage Monitor Report Tools Avdow Help - Hנ & h a> j 1* 1 51 v s 3 a 0 a s r& ©

♦ ׳ |solarw inds •׳

K H ‘> e © . i d | | י ס ״ ; * v

־־111

O verview f*~|

veisorW1N-DWlllR»lLSt4 WIN D3JI H5H J* «

Wti '.'SilLCM W I Wf.-WSC'tlXMK-O

'•non׳100 9 1

.נ.נ0.0- • .)0.0.255

-

■ V*4 UCONJWRSfWW״MN-LXQN3WRJNSN

10006

12-

Network Segments (1}P Addresses (4)Domain Names (4)Node Names (4) fP ReuterLANsurveyor Responder NodesSNMP NodesSNMP Svntches HubsSIP (V0IPJ NodesLayer i NodesActive Directory DCsGroups

E tf=dff £- 4 Mffc-

hCas*ft

FIGURE 8.7: Resulted network diagram

L a b A n a ly s is

D o c u m e n t all d ie I P a d d re s s e s , d o m a in n a m e s , n o d e n a m e s , I P r o u te r s , a n d S N M P

n o d e s y o u d is c o v e re d d u r in g d ie lab .

T o o l / U t i l i t y I n f o r m a t i o n C o l l e c t e d / O b j e c t i v e s A c l i i e v e d

L A N S u r v e y o r

I P a d d r e s s : 1 0 .0 .0 .1 - 1 0 .0 .0 .2 5 4

I P N o d e s D e t a i l s :

■ S N M P S e n d - 6 2

■ I C M P P in g S e n d ־31

■ I C M P R e c e ip t s 4 ־

■ N o d e s M a p p e d 4 ־

N e t w o r k s e g m e n t D e t a i l s :

■ I P A d d r e s s - 4

■ D o m a i n N a m e s - 4

■ N o d e N a m e s - 4

Q LANsurveyor Responder Clients greatly enhance the functionality of LANsurveyor by providing device inventory and direct access to networked computers.



Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S R E L A T E D T OT H I S L A B .


Q u e s t io n s

1. D o e s L A N S u iv e y o r m a p e v e ry I P a d d re s s t o i ts c o r r e s p o n d in g s w itc h o r

h u b p o r t?

2 . C a n e x a m in e n o d e s c o n n e c t e d v ia w ire le s s a c c e s s p o in t s b e d e te c te d a n d

m a p p e d ?


□ Yes 0 N o

Platform Supported

0 Classroom 0 iL a b s

Ethical Hacking and Countermeasures Copyright © by EC-CouncilAB Rights Reserved. Reproduction is Strictly Prohibited.



Mapping a Network Using Friendly PingerFriendly Pinger is a user-friendly application for netirork administration, monitoring, and inventory.L a b S c e n a r io

111 d ie p r e v io u s la b , y o u f o u n d d ie S N A IP , I C M P P in g , N o d e s M a p p e d , e tc . d e ta ils

u s in g d ie to o l L A N S u iv e y o r . I f a n a t ta c k e r is a b le to g e t a h o ld o f th is in f o rm a t io n ,

h e o r sh e c a n s h u t d o w n y o u r n e tw o r k u s in g S N M P . T h e y c a n a ls o g e t a lis t o f

in te r fa c e s 0 1 1 a r o u t e r u s in g d ie d e f a u l t n a m e p u b lic a n d d is a b le d ie m u s in g d ie re a d - w r ite c o m m u n ity . S N M P M I B s in c lu d e in f o r m a t io n a b o u t th e id e n t i ty o f th e a g e n t 's

h o s t a n d a t ta c k e r c a n ta k e a d v a n ta g e o f d iis in f o r m a t io n to in i t ia te a n a tta c k . U s in g

d ie I C M P r e c o n n a is s a n c e te c h n iq u e a n a t ta c k e r c a n a ls o d e te r m in e d ie to p o lo g y o f

d ie ta r g e t n e tw o rk . A tta c k e rs c o u ld u s e e i th e r d ie I C M P ,’T im e e x c e e d e d " 0 1 ־

" D e s t in a t io n u n re a c h a b le " m e s sa g e s . B o d i o f d ie s e I C M P m e s s a g e s c a n c a u se a

h o s t t o im m e d ia te ly d r o p a c o n n e c t io n .

A s a n e x p e r t Network Administrator a n d Penetration Tester y o u n e e d to d is c o v e r

n e tw o r k to p o lo g y a n d p r o d u c e c o m p r e h e n s iv e n e tw o r k d ia g ra m s f o r d is c o v e re d n e tw o rk s a n d b lo c k a tta c k s b y d e p lo y in g firew a lls 0 1 1 a n e tw o r k to f ilte r u n -w a n te d

tra ffic . Y o u s h o u ld b e a b le to b lo c k o u tg o in g S N M P tra f f ic a t b o r d e r r o u te r s o r

f irew alls . 111 d iis la b , y o u w ill l e a n i to m a p a n e tw o r k u s in g d ie to o l F r ie n d ly P in g e r .


T h e o b je c t iv e o f d iis la b is to h e lp s tu d e n ts d is c o v e r a n d d ia g ra m n e tw o r k to p o lo g y

a n d m a p a d is c o v e re d n e tw o r k

h i d iis la b , y o u n e e d to :

■ D is c o v e r a n e tw o r k u s in g discovery te c h n iq u e s

■ D ia g ra m th e n e tw o r k to p o lo g y

■ D e te c t n e w d e v ic e s a n d m o d if ic a t io n s m a d e i n n e tw o r k to p o lo g y

■ P e r f o r m in v e n to r y m a n a g e m e n t f o r h a rd w a re a n d s o f tw a re a s s e ts

ICON KEY27 Valuable

information

Test yourknowledge

ס Web exercise

m Workbook review






■ F r ie n d ly P in g e r lo c a te d a r D:\CEH-Tools\CEHv8 Module 0 3 Scanning Networks\Network Discovery and Mapping Tools\FriendlyPinger

■ Y o u can also download die latest version o f Friendly Pinger from the link http://www.kilierich.com/fpi11ge17download.htm

■ I f y o u d e c id e to d o w n lo a d th e la te s t v e r s io n , d ie n s c r e e n s h o ts s h o w n in d ie


■ A c o m p u t e r r u n n in g Windows Server 2 0 1 2

■ A w e b b r o w s e r w id i I n t e r n e t a c c e s s

■ A d m in is t r a t iv e p riv ile g e s to r u n d ie Friendly Pinger to o l


T im e : 10 M in u te s

O v e r v ie w o f N e t w o r k M a p p in g

N e tw o r k m a p p in g is d ie s tu d y o f d ie p h y s ic a l connectivity o f n e tw o rk s . N e tw o r k

m a p p in g is o f t e n c a r r ie d o u t to discover s e rv e rs a n d o p e ra t in g sy s te m s r u i n i n g o n

n e tw o rk s . T h is te c lu i iq u e d e te c ts n e w d e v ic e s a n d m o d if ic a t io n s m a d e in n e tw o r k

to p o lo g y . Y o u c a n p e r f o r m in v e n to r y m a n a g e m e n t f o r h a rd w a re a n d s o f tw a re

a sse ts .

F r i e n d ly P in g e r p e r f o r m s th e f o l lo w in g t o m a p th e n e tw o r k :

■ Monitoring n e t w o r k d e v ic e s a v a i la b i l i ty

■ Notifies i f a n y s e r v e r w a k e s o r g o e s d o w n

■ Ping o f a ll d e v ic e s i n p a r a l le l a t o n c e

■ Audits hardware a n d software c o m p o n e n t s in s ta l le d o n th e c o m p u t e r s

o v e r t h e n e tw o r k

L a b T a s k s

1. In s ta l l F r ie n d ly P in g e r 0x1 y o u r Windows Server 2 0 1 2

2. F o l lo w d ie w iz a rd - d r iv e n in s ta l la t io n s te p s a n d in s ta l l F r ie n d ly P in g e r .

3. L a u n c h th e Start m e n u b y h o v e r in g d ie m o u s e c u r s o r in d ie lo w e r- le f t

c o r n e r o f th e d e s k to p

ZZ7 Tools demonstrated in this lab are available in D:\CEH- Tools\CEHv8 Module 03 Scanning Networks

t a s k 1Draw Network

Map



http://www.kilierich.com/fpi11ge17download.htm



4 . C lic k th e Friendly Pinger a p p t o o p e n th e Friendly Pinger w in d o w

S ta rt A d m i n i s t r a t o r ^

Sen*rManager

WindowsPowerSMI

GOOQteChrome

W**r-V Uninstall

r _ m * % &Com piler Control

Panol

V

Hyp«-V

Mac f.inf .

9 «

£Eaplewr

CommandPrompt

! ״ ר

M 02111a Firefox

€ >

PattiA ra^zerPro 2.7i l

■ KmSeorchO. Fnendty

PWêr

O rte f o f l *I G


5 . T h e Friendly Pinger w in d o w a p p e a r s , a n d F r i e n d ly P in g e r p r o m p t s y o u

t o w a tc h a n o n l in e d e m o n s t r a t i o n .

6 . C lic k NoFriendly Pinger [Demo.map]

H1ם

file Edit View Pinq Notification Scan FWatchcr Inventory Help

y - £& □ צ1 a fit ־ *

V Denro ׳*

-

Dem ons tra tio n m ap

Internet M.ui S hull cut Sm vtiS -

WoikStationWorkstation

(*mall)

^ 2 1 /24 /37 & OG 00:35dick the client orco to add ג new device...

FIGURE 9.3: FPinger Main Window


^ You are alerted when nodes become unresponsive (or become responsive again) via a variety of notification methods.

Friendly Pinger will display IP-address of your computer and will offer an exemplary range of IP- addresses for scanning

& To see the route to a device, right-click it, select "Ping, Trace" and then "TraceRoute".In the lower part of the map a TraceRoute dialog window will appear.In the process of determination of the intermediate addresses, they will be displayed as a list in this window and a route will be displayed as red arrows on the map


7 . S e le c t File f r o m t h e m e n u b a r a n d s e le c t d i e Wizard o p t i o n

L-!»j x ׳


r Friendly Pinger [Demo.map]File | Edit View Ping Notification Scan F/fatdier Inventory Help

ft x !־ % צ*C *י

5T In lan d fr! S c iy c i

Imen-pr Hail Sho itcul SenwrHob -----Mndpn

□ WeA

Gtfr Open...

CtrUN

Ct11+0Reopen

| Uadate

U Save.. Sava At... Close

t b Close All

CtrhUCtfUS

fcV Save A j Image... ^ Print...

gמ

mקד

^ Lock...^ Create Setup...

Ctrl* B

0 Options... F9

X L Frit Alt*■)(

W in k S ta tiu nI 1,11 |

J JW n fk S tA lio n

ar'r;m

O dll initial llldLCiedtFIGURE 9.4: FPinger Staiting Wizard

8. T o c r e a t e in i t ia l m a p p i n g o f t h e n e tw o r k , ty p e a r a n g e o f IP addresses i n s p e c i f ie d f ie ld a s s h o w n i n t h e f o l lo w in g f ig u re c l ic k Next

---Wizard

10.0.0.7Local IP address:

The initial map will be created by query from DNS-server the information about following IP-addresses:

10.0.0.1 •2dYou can specify an exacter range of scanning to speed up

this operation. For example: 10.129-135.1 •5.1 •10

1000| I Timeout

Timeout allows to increase searching, but you can miss some addresses.

X Cancel= ► Mext4 * g a c k? Help

FIGURE 9.5: FPinger Intializing IP address range

9 . T h e n th e w iz a r d w ill s t a r t s c a n n i n g o f IP addresses 1 1 1 d i e n e tw o r k , a n d

l i s t th e m .

1 0 . C lic k Next

ם Scanning allows you to know a lot about your network. Thanks to the unique technologies, you may quickly find all the HTTP, FTP, e-mail and other services present on your network

C] Map occupies the most part of the window. Right- click it. In the appeared contest menu select "Add” and then ״Workstation". A Device configuration dialog window will appear. Specify the requested parameters: device name, address, description, picture

The device is displayed as an animated picture, if it is pinged, and as a black and white picture if it is not pinged




Wizard

NameIP address

W1N-MSSELCK4K41

Windows8

W1N-LXQN3WR3R9MW1N-D39MR5HL9E4

0 10.0.0.2 0 10.0.0.3

0 10.0.0.5

□ 10.0.0.7

The inquiry is completed. 4 devices found.

Rem ove tick from devices, which you dont want to add on the map

X C a n c e l3 N ► ־ ext4 * B a c k? Help

FPinger 9.6: FPmger Scanning of Address completed

11. Set the default options in the Wizard selection windows and click Next

Wizard

WorkstationQ e v ic e s type:

Address

O Use IP-address

| ® Use DNS-name |

Name

ח Remove DNS suffix

Add* ion

O Add devices to the new map

(•> Add devices to the current map

X Cancel!► Next7 Help

£L) Press CTRL+I to get more information about the created map. You will see you name as the map author in the appeared dialog window

£0 Ping verifies a connection to a remote host by sending an ICMP (Internet Control Message Protocol) ECHO packet to the host and listening for an ECHO REPLY packet. A message is always sent to an IP address. If you do not specify an address but a hostname, this hostname is resolved to an IP address using your default DNS server. In this case you're vulnerable to a possible invalid entry on your DNS (Domain Name Server) server.

FIGURE 9.7: FPinger selecting the Devices type

12. T h e n th e c l i e n t a r e a w ill d is p la y s t h e N e t w o r k m a p in t h e FPinger w in d o w

CEH Lab Manual Page 163 Ethical Hacking and Countermeasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited


_ □1 x יV Friendly Pinger [Default.map]File Edit View/ Ping NotificaTion Scan FWatcher inventory Help

H ft J* & g £ <׳״

FIGURE 9.8 FPmger Client area with Network architecture

13 . T o s c a n th e s e le c te d c o m p u t e r i n t h e n e tw o r k , s e le c t d i e c o m p u t e r a n d s e le c t t h e Scan t a b f r o m th e m e n u b a r a n d c l ic k Scan

F riend ly P in ge r [D e fa u lt.m ap ]

Scan FW rtchp Inventory Help

F61 50* mM Scan..

file Edit View Ping Notification

Lb ם - y a * e ?

^ 00:00:47233:1 S i. 3/4/4click the clicnt area to add c new devicc..

FIGURE 9.9: FPinger Scanning the computers in the Network

14. I t d is p la y s scanned details in th e Scanning w iz a r d

ם If you want to ping inside the network, behind the firewall, there will be no problems If you want to ping other networks behind the firewall, it must be configured to let the ICMP packets pass through. Your network administrator should do it for you. Same with the proxy server.

^ You may download the latest release:http: / / www. kilievich.com/ fpinger■

Q Select ״File | Options, and configure Friendly Pinger to your taste.




Scanning

Command faCompute

W1N-MSSELCK... http://W IN-MSSELCX4M1

W1N-D39MR5H... http://W IN-D39MR5HL9E4

S c a n n in g c o m p le te

J Bescan׳^

Service

& ] HTTP

£ ] HTTP

Progress

y ok X Cancel? Help

£□ Double-click tlie device to open it in Explorer.

FIGURE 9.10: FPinger Scanned results

15 . C l ic k t h e Inventory t a b f r o m m e n u b a r t o v i e w d i e c o n f i g u r a t io n d e ta i ls

o f t h e s e le c te d c o m p u t e r

T ^ r r F־ rien d ly P in ge r fD e fa u lt.m a p lVP k Edit V1«w Ping Notification S<*n FWat<hcr Irvcntory \ Ndp________________

* ׳ \&\ Ca:*BSJ ג1m E l Inventory Option!.״ Ctil-F#

FIGURE 9.11: FPinger Inventory tab

16. T h e General t a b o f t h e Inventory w iz a r d s h o w s d i e computer name a n d in s ta l le d operating system

£□ Audit software and hardware components installed on tlie computers over the network

Tracking user access and files opened on your computer via the network



http://WIN-MSSELCX4M1

http://WIN-D39MR5HL9E4


InventoryWFile Edit V iew Report O ptions Help

0 S־ ?1 1 ■ Ela e:| g General[ Misc| M'j Hardware] Software{ _v) History| ^ K >

Computer/User

Host name |WIN-D39MR5HL9E4

User name !Administrator

Windows

Name |Windows Server 2012 Release Candriate Datacenter

Service pack

Cotecton tme

Colecbon time 18/22/201211:22:34 AM

WIN-D39MR5HL9E4

FIGURE 9.12: FPinger Inventory wizard General tab

1 7 . T h e Misc t a b s h o w s t h e Network IP addresses. MAC addresses. File System, a n d Size o f t h e d is k s

x 'InventoryFile Edit V iew Report O ptions H e lp

e i g? 0 ₪ *a a <^0G*? fieneraj Misc hardware | Software | History |

Network

IP addresses

MAC addresses

110.0.0.7

D4-BE-D9-C3-CE-2D

Jota l space

Free space

465.42 Gb

382.12 Gb

Display $ettng$

display settings [ 1366x768,60 H z, T rue Color (32 bit)

Disk Type Free, Gb Size, Gb £ File System A

3 C Fixed 15.73 97.31 84 NTFS

S D Fixed 96.10 97.66 2 NTFS— - — ■ —

FIGURE 9.13: FPinger Inventory wizard Misc tab

18. T h e Hardware t a b s h o w s th e h a r d w a r e c o m p o n e n t d e ta i ls o f y o u r

n e tw o r k e d c o m p u t e r s

CQ Assignment of external commands (like telnet, tracert, net.exe) to devices

5 Search of HTTP, FTP, e-mail and other network services

Function "Create Setup" allows to create a lite freeware version with your maps and settings




TTFile Edit View Report Options Help

0 ^ 1 3 1 0H w 1N-D39MFS5HL9E4|| General Miscl Mi Hardware[^] Software History | < > 1

4x Intel Pentium III Xeon 3093B Memory<2 4096 Mb- Q j B IO S

Q| AT/AT COMPATIBLE DELL • 6222004 02/09/12- £ ) Monitors י

Genetic PnP Monitor- ■V Displays adaptersB j) lnte<R) HD Graphics Family

E O Disk drivesq ST3500413AS (Serial: W2A91RH6)

- ^ Network adapters| j | @netrt630x64.inf,%rtl8168e.devicedesc%êaltekPQeGBE Family Controller

- ^ S C S I and RA ID [email protected],%spaceport_devicedesc%;Micro$oft Storage Spaces Controller

I JFIGURE 9.14: FPinger Inventory wizard Hardware tab

19 . T h e Software t a b s h o w s d i e in s ta l l e d s o f tw a r e o n d i e c o m p u t e r s

-----------HInventoryFile Edit View Report Options Help

1 0 € 1 Q5r (£]0י3G§* general | M sc \ H«fdware| S׳ Software | History | QBr < >

Adobe Reader X (10.1.3) eMaiTrackerPro EPSON USB Display Friendfy Priger IntelfR) Processor Graphics Java(TM) 6 Update 17Microsoft .NET Framework 4 Multi-Targeting Pack Microsoft Appfcation Error Reporting Microsoft Office Excel MUI (English) 2010 Microsoft Office OneNote MUI (English) 2010 Microsoft Office Outlook MUI (English) 2010 Microsoft Office PowerPoint MUI (English) 2010 Microsoft Office Proof (English) 2010 Microsoft Office Proof (French) 2010 Microsoft Office Proof (Spanish) 2010

Off*** Prnnfirxi (Pnnli^hl ? flirt

A

V

TetaS

Name

Version

Developer

Homepage | ft Go

WIN-D39MR5HL9E4

FIGURE 9.15: FPinger Inventory wizard Software tab

L a b A n a ly s is

D o c u m e n t all d ie I P a d d re s s e s , o p e n a n d c lo s e d p o r t s , s e rv ic e s , a n d p r o to c o ls y o u


Q Visualization of your computer network as a beautiful animated screen





I P a d d r e s s : 1 0 .0 .0 .1 -1 0 .0 .0 .2 0

F o u n d I P a d d r e s s :

■ 1 0 .0 .0 .2

■ 1 0 .0 .0 .3

■ 1 0 .0 .0 .5

■ 1 0 .0 .0 .7

D e t a i l s R e s u l t o f 1 0 .0 .0 .7 :F r i e n d l v P i n g e rj » ■ C o m p u t e r n a m e

■ O p e r a t i n g s y s te m

■ I P A d d r e s s

■ M A C a d d r e s s

■ F ile s y s te m

■ S iz e o f d is k

■ H a r d w a r e i n f o r m a t i o n

■ S o f tw a r e i n f o r m a t i o n

Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S R E L A T E D T OT H I S L A B .

Q u e s t io n s

1. D o e s F P in g e r s u p p o r t p ro x y se rv e rs firew alls?

2 . E x a m in e th e p r o g r a m m in g o f la n g u a g e u s e d in F P in g e r .


□ Yes 0 N o

Platform Supported





Lab

Scanning a Network Using the Nessus ToolNess/zs allows you to remotely audit a nehvork and deter/nine if it has been broken into or misused in some n ay. It also provides the ability to locally audit a specific machine for vulnerabilities.L a b S c e n a r io

111 th e p r e v i o u s la b , y o u l e a r n e d t o u s e F r i e n d ly P in g e r t o m o n i t o r n e t w o r k

d e v ic e s , r e c e iv e s e r v e r n o t i f i c a t i o n , p in g i n f o r m a t i o n , t r a c k u s e r a c c e s s v ia th e

n e tw o r k , v ie w g r a p h ic a l t r a c e r o u t e s , e tc . O n c e a t t a c k e r s h a v e th e i n f o r m a t io n

r e l a te d t o n e t w o r k d e v ic e s , th e y c a n u s e i t a s a n e n t r y p o i n t t o a n e t w o r k f o r a

c o m p r e h e n s i v e a t t a c k a n d p e r f o r m m a n y ty p e s o f a t t a c k s r a n g in g f r o m D o S

a t t a c k s t o u n a u t h o r i z e d a d m in i s t r a t iv e a c c e s s . I f a t t a c k e r s a r e a b le t o g e t t r a c e r o u t e i n f o r m a t io n , t h e y m i g h t u s e a m e t h o d o l o g y s u c h a s f i r e w a lk in g to

d e te r m i n e th e s e r v ic e s t h a t a r e a l lo w e d t h r o u g h a f ire w a ll .

I f a n a t t a c k e r g a in s p h y s ic a l a c c e s s t o a s w i tc h o r o t h e r n e t w o r k d e v ic e , h e o r

s h e w ill b e a b le to s u c c e s s f u l ly in s ta l l a r o g u e n e tw o r k d e v ic e ; t h e r e f o r e , a s a n

a d m i n i s t r a t o r , y o u s h o u ld d is a b le u n u s e d p o r t s in t h e c o n f i g u r a t io n o f th e

d e v ic e . A ls o , i t is v e r y i m p o r t a n t t h a t y o u u s e s o m e m e t h o d o lo g i e s t o d e t e c t

s u c h r o g u e d e v ic e s 0 1 1 t h e n e tw o r k .

A s a n e x p e r t ethical hacker a n d penetration tester, y o u m u s t u n d e r s t a n d h o w

vulnerabilities, compliance specifications, a n d content policy violations a re

s c a n n e d u s in g th e Nessus to o l .


T h is la b w ill g iv e y o u e x p e r i e n c e 0 1 1 s c a n n in g th e n e tw o r k f o r v u ln e r a b i l i t ie s ,

a n d s h o w y o u h o w t o u s e N e s s u s . I t w ill t e a c h y o u h o w to :

■ U s e th e N e s s u s t o o l

■ S c a n th e n e t w o r k f o r v u ln e r a b i l i t ie s

I C O N K E Y

7=7־ Valuableinformation

Test yourknowledge

Web exercise

m Workbook review





T o c a n y o u t d i e l a b , y o u n e e d :

■ N e s s u s , l o c a t e d a t D:\CEH-Tools\CEHv8 Module 03 Scanning NetworksWulnerability Scanning Tools\Nessus

■ Y o u c a n a ls o d o w n lo a d th e l a t e s t v e r s io n o f N e s s u s f r o m th e l in k

h t t p : / / w w w . t e n a b l e . c o m / p r o d u c t s / n e s s u s / n e s s u s - d o w n l o a d -

a g r e e m e n t

■ I f y o u d e c id e t o d o w n lo a d th e latest version, t h e n s c r e e n s h o t s s h o w n

i n t h e la b m i g h t d i f f e r

■ A c o m p u t e r r u n n i n g Windows Server 2012

■ A w e b b r o w s e r w i t h I n t e r n e t a c c e s s

■ A d m in i s t r a t i v e p r iv i le g e s t o r u n th e N e s s u s t o o l



O v e r v ie w o f N e s s u s T o o l

N e s s u s h e lp s s tu d e n ts t o le a rn , u n d e r s ta n d , a n d d e te r m in e vulnerabilities a n d

weaknesses o f a s y s te m a n d network 111 o r d e r to k n o w h o w a s y s te m c a n b e

exploited. N e tw o r k v u ln e ra b il i t ie s c a n b e network topology a n d OS vulnerabilities, o p e n p o r t s a n d r u n n in g se rv ic e s , application and servicec o n f ig u ra t io n e r r o r s , a n d a p p lic a t io n a n d service vulnerabilities.

L a b T a s k s

1. T o in s ta l l N e s s u s n a v ig a te to D:\CEH-Tools\CEHv8 Module 03 Scanning NetworksWulnerability Scanning Tools\Nessus

2 . D o u b le - c l i c k th e Nessus-5.0.1-x86_64.msi file .

3 . T h e Open File - Security Warning w in d o w a p p e a r s ; c l ic k RunO־ד5ך p en File Se cu rity W arn in g

Do you want to run this fie ?

f J a n e lkgrt\A/ ־ dm inirtra t0r\D etH 0D 'vN ecs1K -5 02-6 C.rrKר&£ Pudsht׳: IcnaMc Network Security Int.

Type Windows Installer PackageFrom; G\U«ra\Adminottatot\Doklop\No>uj*5.0.2-*66 64״

CencHRun

V Always esk cefcre opening the file

Wh Jr fi:« from the Inter net can be useful, this file type can potentially j ) harm >our computer. Only run scfbveic from p ubltihen yen bust.

^ What s the nsk?

£ Tools זdemonstrated in this lab are available in D:\CEH- Tools\CEHv8 Module 03 Scanning Networks

m Nessus is public Domain software related under the GPL.

8 T A s K 1

NessusInstallation

" 7 Nessus is designed to automate the testing and discovery of known security problems.

FIGURE 10.1: Open File ־ Security Warning




4. T h e Nessus - InstallShield Wizard a p p e a r s . D u r i n g t h e in s ta l la t io n

p r o c e s s , t h e w iz a r d p r o m p t s y o u f o r s o m e b a s ic in f o r m a t io n . F o l lo w

d i e i n s t r u c t io n s . C l i c k Next.

Tenable Nessus (x64) ־ InstallShield Wizard&Welcome to th e InstallShield Wizard for Tenable Nessus (x64)

The InstalSh1eld(R) Wizard wdl nstal Tenable Nessus (x64) on your computer. To continue, ddc Next.

WARNING: Ths program is protected by copyright law and nternational treaties.

< Back Next > Cancel

FIGURE 10.2: The Nessus installation window

5. B e f o r e y o u b e g in in s ta l la t io n , y o u m u s t a g r e e t o t h e license agreement a s s h o w n in t h e f o l lo w in g f ig u re .

6 . S e le c t t h e r a d io b u t t o n t o a c c e p t t h e l ic e n s e a g r e e m e n t a n d c l ic k Next.

Tenable Nessus (x64) - InstallShield Wizard!ל;License Agreement

Please read the following kense agreement carefully.

0

Tenable Network Security, Inc.NESSUS®

software license Agreement

This is a legal agreement ("Agreement") between Tenable Network Security, Inc., a Delaware corporation having offices at 7063 Columbia Gateway Drive. Suite 100, Columbia, MD 21046 (“Tenable"), and you, the party licensing Software (“You״). This Agreement covers Your permitted use of the Software BY CLICKING BELOW YOU !unir.ATF v m iB Ar.r.FPTAMr.F n p tw/.q ArtPFPMFUT auh

Printaccept the terms in the kense agreement O I do not accept the terms n the kense agreement

InstalShiekJ-------------------------------------------

CancelNext >< Back

FIGURE 10.3: Hie Nessus Install Shield Wizard

7 . S e le c t a d e s t in a t io n f o ld e r a n d c l ic k Next.

m The updated Nessus security checks database is can be retrieved with commands nessus-updated- plugins.

Q Nessus has the ability to test SSLized services such as http, smtps, imaps and more.

Nessus security scanner includes NASL (Nessus Attack Scripting Language).




Tenable Nessus (x64) - InstallShield WizardDestination Folder

Click Next to instal to this folder, or ckk Change to instal to a different folder.

Change...Instal Tenable Nessus (x64) to: C:\Program F*es\Tenable Nessus \£>

InstalShield

CancelNext >< Back

FIGURE 10.4: Tlie Nessus Install Shield Wizard

8. T h e w iz a r d p r o m p t s f o r Setup Type. W i d i d i e Complete o p t i o n , a ll

p r o g r a m f e a tu r e s w ill b e in s ta l le d . C h e c k Complete a n d c l ic k Next.

Tenable Nessus (x64) ־ InstallShield WizardSetup Type

Choose the setup type that best smts your needs.

FIGURE 10.5: The Nessus Install Shield Wizard for Setup Type

9 . T h e N e s s u s w iz a r d w ill p r o m p t y o u t o c o n f i r m th e in s ta l la t io n . C lic k Install

Ibdl Nessus gives you the choice for performing regular nondestructive security audit on a routinely basis.

Q Nessus probes a range of addresses on a network to determine which hosts are alive.




Tenable Nessus (x64) - InstallShield WizardReady to Install the Program

The wizard is ready to begn nstalation.

Click Instal to begn the nstalatoon.

If you want to review or change any of your installation settings, dfck Back. Ckk Cancel to exit the wizard.

InstalShield

CancelInstal< Back

Nessus probes network services on each host to obtain banners that contain software and OS version information

FIGURE 10.6: Nessus InstallShield Wizard

10 . O n c e in s ta l l a t io n is c o m p l e te , c l ic k Finish.

Tenable Nessus (x64) ־ InstallShield Wizard

InstalShield Wizard Completed

The InstalShield Wizard has successfuly nstaled Tenable Nessus (x64). Ckk Finish to exit the wizard.

Cancel

Q Path of Nessus home directory for windows \programfiles\tanable\nessus

FIGURE 10.7: Nessus Install Shield wizard

Nessus Major Directories

■ T l i e m a jo r d i r e c to r i e s o f N e s s u s a r e s h o w n i n t h e f o l lo w in g ta b le .




Nessus Home Directory Nessus Sub-Directories Purpose

1 Windows

\ProgramFiles\Tenable\Nessus

\conf Configuration files\data Stylesheet templates\nessus\plugins Nessus plugins

\nassus\us«rs\<username>\lcbs User knowledgebase saved on disk

>-------------------------------- -\no33us\logs

1 --------------------1, Nessus log files

TABLE 10.1: Nessus Major Directories

11 . A f t e r in s ta l la t io n N e s s u s o p e n s i n y o u r d e f a u l t b r o w s e r .

12 . T h e Welcome to Nessus s c r e e n a p p e a r s , c l ic k d ie here l i n k t o c o n n e c t

v ia SSL

w elcom e to Nessus!PIm m c o n n e c t v ia SSL b y c lick in cJ h » r « .

You are hkely to get a security alert from your web browser saying that the SSL certificate is invalid. You may either choose to temporarily accept the risk, or can obtain a valid SSL certificate from a registrar. Please refer to the Nessus documentation for more information.

FIGURE 10.8: Nessus SSL certification

13 . C lic k OK i n th e Security Alert p o p - u p , i f i t a p p e a r s

Security Alert

J j You are about to view pages over a secure connection.

Any information you exchange with this site cannot be viewed by anyone else on the web.

In the future, do not show this warning

ע

More InfoOK

FIGURE 10.9: Internet Explorer Security Alert

14. C l ic k th e Continue to this website (not recommended) l in k to

c o n t i n u e

feUI During the installation and daily operation of Nessus, manipulating the Nessus service is generally not required

— The Nessus Server Manager used in Nessus 4 has been deprecated




1& * ^ II Ccrtficate Error: Mavigation... '

X Snagit g j £ t

There is a problem with this website's security certificate.

The security certificate presented by this website was not issued by a trusted certificate authority.The security certificate presented by this websrte was issued for a different website s address.

Sccunty certificate problems m ay indicate an ottempt to fool you o r intercept any data you send to the server.

Wc recommend that you close this webpage and do not continue to this website.d Click here to close this webpage.

0 Continue to this website (not recommended).

More information

FIGURE 10.10: Internet Explorer website’s security certificate

15. o n OK in t h e Security Alert p o p - u p , i f i t a p p e a r s .

Security Alert

1C. i ) You are about to view pages over a secure connection

Any information you exchange with this site cannot be viewed by anyone else on the web.

H I In the future, do not show this warning

1

t r

More InfoOK

FIGURE 10.11: Internet Explorer Security Alert

16 . T h e Thank you for installing Nessus s c r e e n a p p e a r s . C l ic k t h e Get Started > b u t t o n .

R ff

£Q! Due to die technical implementation of SSL certificates, it is not possible to ship a certificate with Nessus that would be trusted to browsers

• >>< h * H i N m iii •v* tflknv y!>u l<1 portoim

Welcome to N essus ׳TW ik you foi liintrtllli •j tin• wuM 1

1 I *ah 3pe«d vukierntilNty diSEOvery. to detem\r* *tven hcets are rumlna wttich se1v1r.es 1 A1j«nlU1a1 mtrlili mj, la 1m U wt« no Im l )■ » ia •acurlly |W ■ I w.> L-umplianca chocks, to verify and prove that « vv , host on your network adheres to tho security pokey you 1 Scan sehwliJnm, to automatically rui *cant at the freijwncy you יAnd morel ׳

!!•< stofted *

FIGURE 10.11: Nessus Getting Started

17 . 111 Initial Account Setup e n te r th e c r e d e n t ia l s g iv e n a t th e t im e o f r e g i s t r a t i o n a n d c l ic k Next >

m warning, a custom certificate to your organization must be used




Wefconeu Neausp • o («*•*<״.«*״>. e c

In itia l Account SetupFirst, we need to create an admin user for the scanner. This user will have administrative control on the scanner; the admin has the ability to create/deiete users, stop ongoing scans, and change the scanner configuration.

loo*n: admin

Confirm P«*Mword:< Prev | Next > |

Because f/* admin user can change the scanner configuration, the admin has (he ability to execute commands on the remote host. Therefore, It should bei that the admin user has the same privileges as the *root ״ (or administrator) user on the remote ho:

FIGURE 10.12: Nessus Initial Account Setup

1 8 . 111 Plugin Feed Registration, y o u n e e d t o e n t e r d i e a c t i v a t i o n c o d e . T o

o b t a i n a c t i v a t i o n c o d e , c l ic k t h e http://www.nessus.org/register/ lin k .

19. C lic k th e Using Nessus at Home i c o n in Obtain an Activation Code

mi (A *CAftCM in ז

<9> T EN A BLE Network Security*I n Certift&ttH)!! Resource* Supicot

Obtain an Activation CodeUsing Nesaus at Work? Using Nessus at Home? A A Ham■( ■ml »m>*Cripr«l Iswuk1uV4cM * fu< ail Dm jn l tot h tm Mia ootj

in

if'tMhk■ ProdiKls

Protfua Ovenfe* Nk su i AudHai

.1 n lu**Plug ׳Ml'!׳•••

.Sjirplr Report!

N«MUi FAQ Vk«le D»14CM FAQ Dtptovmam 1>:001uMowus Evukoiion

T raining

> ■ el

m If you are using Hie Tenable SecurityCenter, the Activation Code and plugin updates are managed from SecurityCenter. Nessus needs to be started to be able to communicate with SecurityCenter, which it wfll normally not do without a valid Activation Code and plugins

FIGURE 10.13: Nessus Obtaining Activation Code

2 0 . 111 Nessus for Home a c c e p t t h e a g r e e m e n t b y c l ic k in g th e Agree b u t t o n

a s s h o w n i n t h e f o l lo w in g f ig u re .



http://www.nessus.org/register/


■ Mom fc< Mama |t«nat1l«Wckcme 10 Mawtow*« m ss

t *vtl ProtoiaiOAilFaed iubbcflbaf* enjty You mat •ot uu 1. The Netare rtoaaafocd

do*1 *c* gn* you io :w to of 1K0v> yov to perform <dedR 0( *S* Tw Nes*u» llrtual

1 Nmhh HomFnd Mibscilpllon it a■ alatile lot ptnoia) mm י• a I ( o• tf. * Is ink lot use by any commercial otqam/atn■ t !on 1q «t!

c*«»*| or vw *Inm * iiw M ni tr.iinrvjTrtontoa Ptoarjm tor 0<>1r(; ■ttionf.

ז » aroajJ •#! 1k* M m ii HowFbwJ Mtncri|40n lot lo » 1 «m | fc w cfe* ‘ 7 to ’••׳k u « i *to turn• 01 •M 4ml bwjln iho <Jc׳#nlMd prooaat•

SU8VCWII0M ACM I Ml NI

Product Ovenv*FaaiuraaNossue Buwwct Noasus ter Homa W*y to New#* ‘t־’ Nesius V « 1l f A!(n

N W III PluflM

»׳״• *SuyôtW w m nlr*j SyvtMn otw״Ini 01 Ope •יי• IVrjalAQor rtaouis fA<J lound cti arr, lenaUa mvCcI

Mbwaowi) moa>«»« 1■ to•1 •vaeelto ncto«n| n nu n M o iy

K» •• Ratoawonarf-aod S«4xc>|pt«n You agiaa 10 r«v * «*•<> «<«* to• to TtâUa to• •ach ayatoan on which You have inttaltod a Prjntr'Kl Scama•T׳ »«<pj Ojaniriton MiVAPthntandiuj 1N» pit ifcrtcn ow cotnwcM »a* m S*C»m 2141.1 Vau ara * *atimj 01!>trifi10n You m*» copy MM iwget *4 •MMMaM T tN tV t »IM«M Md Tm1U» HonMF«*d s<Mot*«M rwgto to — <1rt> to »1*d to« *♦ ew׳w00׳tn teeing onV Upon eompte oti ot #* d m t*»

rigM to *a lt>« Pkj£n& ptmUtod by to* HomaFaad SubfeuipCan is

S41v(Ju Rapotto N m ai fAQ M<«I6 Dtotc** FAQ Deployment Options

Ptc/w*‘. ;■wFwd SK.t־vjlp־i:»1 («. *(fleab*e n *•־,ox !tent# •*> toe Suts<־i * *0 »! c«aa(an r«ftj (of 4nd pay 81)״ » associated <■׳ P TmiSu&ttrfpaa• You awv not u&a tw H>r׳* f sad Subscripted 91 anted to You lot * inj■!־ pu>p0M± to aacuf• Y«u> 01 any third party's, laatwoifcs or to any etoa■

tw cl«M«o« taning h * rorvpioductrxi «nv»or1׳r>*r1• T eaM amtofanuci a fr«* Sut«rp#on undat this Suction 21c | al t coti C is t* Metsus Ftogm Deralopment and 1 « & ״ JM ■am at lha Subbcitpttaoa 10 wtto and dovobp 1

apmant and DiMnbttoan tenable I

FIGURE 10.14: Nessus Subscription Agreement

F il l in th e Register a HomeFeed s e c t io n t o o b t a i n a n a c t iv a t io n c o d e

a n d c l ic k Register.21

GO!ENTER SEARCH TEXT

* TENABLE Network SecurityPartner* 1raining li fortification Resources Si port

> paint |

Register a HomeFeed1 «#h 4 vjfed>1 1 U nil! not I

T 0 May up todato with 11m* Nut.uit. pljgint you nwtl tt>■; etrnU iMlilte-11 to utilch an activation code wll be *ert Ye th a r td with any 3rd patty.ס

am» * con• ־■

□ Check lo receive updates from Tenable

| Hpql ter |

!enable ProductsProduct Ov m v Iow

No s m s Auditor OuniSes

N«84u« Ptu^lns

Documentation

Sample Repoita

N*5»u9 FAQ

Motde Devices FAQ

Deployment Options

Nes3u3 Evaluation

Training

FIGURE 10.15: Nessus Registering HomeFeed

2 2 . T h e Thank You for Registering w in d o w a p p e a l s f o r Tenable Nessus HomeFeed.

S l f you do not register your copy of Nessus, you will not receive any new plugins and will be unable to start the Nessus server. Note: The Activation Code is not case sensitive.

Ethical Hacking and Countermeasures Copyright C by EC־Counc11All Rights Reserved. Reproduction is Strictly Prohibited



217After the initial registration, Nessus will download and compile the plugins obtained from port 443 of plugins.nessus.or gplugins-customers.nessus.org

2 4 . N o w e n te r th e a c t i v a t io n c o d e r e c e iv e d t o y o u r e m a i l I D a n d c l ic k Next.

V י j . *>■ « Y«.to׳ .

ENTER SEARCH IE■(

TENABLE Network Security1Solutions Products Services Partners iraimna & certification Resources Support At out !enable Store

> print | » sltare Q

Tenable Charitable & !raining Organization Program

T enable N c tin il Security offers Nessus rot•• won•( •*4 •uMcnpcon• •t no׳l

cod to ct1*ftut4• oroartaation• I

Tenable Products

Thank You for Registering!nessusThank jrou tor reghlMlag your I eon bit׳ Nt-viun HomeFeed An emal conraMng w a activation 604• hA* just boon Mint to you •l tie email Kktm you pravWed

Please note *at tie !enable Nessus HomeFeed h uvislUiMt- for home um oo»r If you want to use Nasaus at your place of business, you nuat ouicnase the Nessus Proleaaowageed Akemaiet. you nay purchase a subscription to the Nessus PofimoHM Sarnica and scan in tM cioudl Tha N attu i Ponawlci Service does no( require any software download.

For more mtetraabon on tw HomsFeed. Professional eed and Nessus Perimeter Sec.ice. please visit our Discussions Forum.

Product Overview

Nessus Auditor Bundles

Nessus Plugins

Documentation

Sample Reports

Nessus FAQ

Mobile Devices FAQ

Deployment Options

S m u t Evaluation

I raining

FIGURE 10.16: Nessus Registration Completed

2 3 . N o w lo g in t o y o u r e m a i l f o r t h e a c t i v a t io n c o d e p r o v i d e d a t t h e t im e o f

r e g i s t r a t i o n a s s h o w n i n t h e f o l lo w in g f ig u re .

<d • uflKfccjrX _ uSmqSma yaH00.C0׳n' •P

| - Sm>Cu1 Omu >

Y a h o o ! m a i l

MIMDttalt

<1• %) «w* •י* tie l*le41 ■lupnt lw

1b4e Homefeeo Activation CoO*NMtut K י ig L iio i •

10 aw׳■ . ■ounoooor*

th«r* )Oulw rtanlairtj row N n w i m » w 1 *w Th* W««U» Hamafaad gubKiCton will >*er |M» Netfulsully gcannng

»you usa rusius n ג professorial 09301 10u a ftcftsslcruiFoaa suBcagimi

ms •r, 3 onMme 0» n׳cu ir-n‘1-4 *aorta \-״־ is >0u •11t1wo»repsK<trasc3rr>»ri1(».f1if10t.׳‘ ו**• :

C ««usng 1nt srcceSires Stlpw.

I cnm ««!• STOCMt

>* 1 • «Mat pUJ-<n• יזו

■w * . ,Twwjuaiiu.'Ui'ntrHntantMuyMHiiimuum " ״ יי *** •

t— «** ״e»a *a Me• in anamit* p ״״»«.»* y> p* tia uw. ana c*>»*

M tx caaa toittiaiaftBfl

PtaawconWt If!• Nmmii i n*tt11»wn ^•9»

Ne inttmal Aixeii «״ i w Mnaui *׳* « - ׳'M>t« tl'MU• inttiiiilnr camoi׳• a t * 1 •׳You an And ottna ic-jlsti 1t»jr m ilv a n at

FIGURE 10.17: Nessus Registration mail




9 Wekcm* 10 Meuvt ®[ן, - " • F״P lu g in F e e d R e g is t r a t io n

As• information about new vulnerabilities 18 discovered and released into the public domain, Tenabte's research staff designs programs ("plugins”) that enable Nessus to detect their presence. The plugins contain vulnerability Information, the algorithm to test for the presence of the security Issue, and a set of remediation actions. To use Nessus, you need to subscribe to a "Plugin Feed*. You can do so by voting http 7/www.nessus.orQyreolster/ to obtain an Activation Code.

• To use Nessus at your workplace, pufdiaae a com met Gd Prgfcaatonalf ccd• To um NcMuti at In a non ■commercial homo environment, you can get 11 HomeFeed (or free• Tenable SecurltvCentor usore: Enter 'SoairltyCenter* In the field below• To perform offline plugin updates, enter 'offline' In the field below

Activation Code

Please enter your Activation Code:|9061-0266-9046-S6E4-l8£4| x |

Optional Proxy Settings

< Prev Next >

IbsdJ Once the plugins liave been downloaded and compiled, the Nessus GUI will initialize and the Nessus server will start

FIGURE 10.18: Nessus Applying Activation Code

2 5 . T h e Registering w in d o w a p p e a r s a s s h o w n i n d i e f o l lo w in g s c r e e n s h o t .

C * *-ho* P • 0 Cc**uttemH SC J wefc <•*׳< to m ft * ofx Bs~** ■ d 1

R e g is t e r in g .. .

Registering the scanner with Tenable...

FIGURE 10.19: Nessus Registering Activation Code

2 6 . A f t e r s u c c e s s f u l r e g i s t r a t i o n c lic k , Next: Download plugins > to

d o w n lo a d N e s s u s p lu g in s .

* י ־ י -׳P • O Ce*rt<*e««o« & C| Wetcone to Nessus ■ ־ ־ ft * o

x a]ן =f

R e g is t e r in g .. .

Successfully registered the scanner with Tenable.Successfully created the user.

| Next: Download plug!mi > |

m Nessus server configuration is managed via the GUI Tlie nessusdeonf file is deprecated In addition, prosy settings, subscription feed registration, and offline updates are managed via the GUI

FIGURE 10.20: Nessus Downloading Plugins

2 7 . N e s s u s w ill s t a r t f e t c h in g th e p lu g in s a n d i t w ill in s ta l l t h e m , i t w ill ta k e t im e t o in s ta l l p lu g in s a n d in i t i a l i z a t i o n

N e s s u s is f e t c h in g t h e n e w e s t p lu g in s e t

Pleaae wait...

FIGURE 10.21: Nessus fetching the newest plugin set

2 8 . H i e Nessus Log In p a g e a p p e a r s . E n t e r t h e Username a n d Password g iv e n a t th e t im e o f r e g i s t r a t i o n a n d c l ic k Log In.



http://www.nessus.orQyreolster/


/>. 0 tc

nessus

L i

I «•«״

TENA»Lg ׳

FIGURE 10.22: The Nessus Log In screen

2 9 . T h e Nessus HomeFeed w in d o w a p p e a r s . C lic k OK.

• T A S K 2

Network Scan Vulnerabilities

Q For the item SSH user name, enter the name of the account that is dedicated to Nessus on each of the scan target systems.

,1 / / / 1 nessus

inn rm m iv a u u r a h m kMMWuNMy i M W M u w

J m i u h (eepenew.

M to llm idTBtHil lr» nanatamO » M M tomay load 10 (*iMoaAon

w l oaiiUtanter any oust fton* oroigMtaAofii M• to a PTOtoMknalFMd Subecrtpfcxi ha<•

190* - ?0121)nM1 N M M s*.o r*/ nc OK I

FIGURE 10.23: Nessus HomeFeed subscription

3 0 . A f t e r y o u s u c c e s s f u l ly lo g in , th e Nessus Daemon w in d o w a p p e a r s a s s h o w n i n th e f o l lo w in g s c r e e n s h o t .

FIGURE 10.24: The Nessus main screen

3 1 . I f y o u h a v e a n Administrator Role, y o u c a n s e e d i e Users ta b , w h ic h

li s ts a ll Users, th e i r Roles, a n d th e i r Last Logins.

m To add a new policy, dick Policies ־־ Add Policy.




New policies are configured using tlie Credentials tab.

FIGURE 10.25: The Nessus administrator view

3 2 . T o a d d a n e w p o lic y , c l ic k Policies ־> Add Policy. F il l i n th e General p o l ic y s e c t io n s , n a m e ly , Basic, Scan, Network Congestion, Port Scanners, Port Scan Options, a n d Performance.

^WARNING: Any changes to the Nessus scanner configuration will affect ALL Nessus users. Edit these options carefully

FIGURE 10.26: Adding Policies

3 3 . T o c o n f ig u r e d i e c r e d e n t ia l s o f n e w p o l ic y , c l ic k d i e Credentials t a b

s h o w n i n t h e l e f t p a n e o f Add Policy.




m The most effective credentials scans are those for which the supplied credentials have root privileges.

FIGURE 10.27: Adding Policies and setting Credentials

3 4 . T o s e le c t th e r e q u i r e d p lu g in s , c l ic k th e Plugins t a b i n t h e l e f t p a n e o f Add Policy.

«׳ ״ P• . ״

W OWBlc/Otr!«c» U rir 18W8 eo?1Ax aunt 0+m *י*7

OCUkttO'ta •• -J’UrKlnl IoiiiiiIii«>>uII.<W• ..יינייי ין וי O

^ r» u«!j Suit# 1« o!v.b Oan ottKdfenwct,

(a) 0«neralVj GenlTOUKBlS*aj׳*yChK*»y mp-ux L0Ca Seaifty c׳k»i

Jurat UjcU Sacunty ChKM

O A««r«l fc**״ ftM■*2m* L*»r> *> IknU. o or Par 20 AO. Weilmiin ftwaia־BaiHir r>KM1 Su עטי 1

O 16TO CCHO P1W) 01 Melon O 14M0 C* 1tar« KTTP Pra! Si f * ! Hcd Hattr Rurola DoS <J 120M Ctcd Pow F.irVVal 4■ , .ו 1 uae VjInentollB |0f. FS|

3wopn» Trie *matt tc*

f*»1 Cik re TCP poll *22 1 WO. ז75יי***ד ffj»wy UelyBialKW5 isAOioai*scrtr sc*<**nce pars TCP.E221 מ<׳«!יא1 ני W v*׳.v.e־CT. 17* MtiKtAwklinsj׳ TCP.'1781 4ייי*ו.־*יז)tcfirttxn Uxlumg

m If you are using Kerberos, you must configure a Nessus scanner to authenticate a KDC.

FIGURE 10.28: Adding Policies and selecting Plugins

3 5 . T o c o n f ig u r e p r e f e r e n c e s , c l ic k th e Preferences t a b i n t h e l e f t p a n e o f

Add Policy.

3 6 . I n t h e Plugin f ie ld , s e le c t Database settings f r o m t h e d r o p - d o w n lis t.a If the policy issuccessfully added, then the 3 7 . E n t e r th e Login d e ta i ls g iv e n a t d i e t im e o f r e g i s t r a t io n .Nessus server displays themassage 3 8 . G iv e t h e D a ta b a s e S I D : 4587, D a ta b a s e p o r t t o u s e : 124, a n d s e le c t

O r a c le a u t l i ty p e : SYSDBA.

3 9 . C lic k Submit.



FIGURE 10.29: Adding Policies and setting Preferences

4 0 . A m e s s a g e Policy “ NetworkScan_Policy״ was successfully addedd is p la y s a s s h o w n a s fo l lo w s .

FIGURE 10.30: The NetworkScan Policy

4 1 . N o w , c l ic k Scans ־> Add t o o p e n th e Add Scan w in d o w .

4 2 . I n p u t t h e f ie ld Name, Type, Policy, a n d Scan Target

4 3 . 111 Scan Targets, e n t e r d i e I P a d d r e s s o f y o u r n e tw o r k ; h e r e in th i s la b

w e a r e s c a n n in g 1 0 .0 .0 .2 .

4 4 . C lic k Launch Scan a t d i e b o t t o m - r i g h t o f t h e w in d o w .

Note: T h e I P a d d r e s s e s m a y d i f f e r i n y o u r la b e n v i r o n m e n t

CD Tools demonstrated in this lab are available in D:\CEH- Tools\CEHv8 Module 03 Scanning Networks

To scan the window, input the field name, type, policy, scan target, and target file. ‘

Ethical Hacking and Countermeasures Copyright O by EC־Counc11CEH Lab Manual Page 183


Nessus lias the ability to save configured scan policies, network targets, and reports as a .nessus file.

FIGURE 10.31: Add Scan

4 5 . T h e s c a n la u n c h e s a n d starts scanning t h e n e tw o r k .

FIGURE 10.32: Scanning in progress

4 6 . A f t e r th e s c a n is c o m p l e te , c l ic k t h e Reports ta b .

FIGURE 10.33: Nessus Reports tab

4 7 . D o u b le - c l i c k Local Network to v ie w th e d e ta i le d s c a n r e p o r t .

^ gMtyifc ■ d • —*-..י

S ' Tools demonstrated in this lab are available in D:\CEH• Tools\CEHv8 Module 03 Scanning Networks

Bn■ B < Cvwii ' So-Mity ״ »— ״׳•*־׳Hm n t ■w 11 ■1 I K INW I • M m

m tn

Zנ־י■׳•

] £ >•> ז*ו l«v>H MH MtMM

H9W•xfn H lrrt>

1-01 Iftte U B•MO. Infe

MeMUl-a* •*«-—■».»» * «Qi C«uM Urm tlmb«n rf UTMMB1 W . i■■— 1 •MM•

KTT* Im i T>»• M VIWMH W tN « M < N i l r a W U I IM t W M « l W M W lK M l

M.»~« •Tnl *m NHHl^«ll>H|«i iW .I» UhmlUn C M ** •McmcC o 1 o -*« it f i LMdicr ntar njlutPu < » Fun tut SID Ewneutan WiMom M m x M tC o t n m k U u iu im wmm uv* no^jMren L׳i 1»«-cruttn U n » hgr r J• OaHK Qn-a• U r . riCK) SnaUU- C «M

FIGURE 10.34: Report of the scanned target




4 8 . D o u b le - c l i c k a n y result t o d is p la y a m o r e d e ta i le d s y n o p s is , d e s c r ip t i o n ,

s e c u r i ty le v e l , a n d s o lu t io n .

FIGURE 10.35: Report of a scanned target

4 9 . C l ic k t h e Download Report b u t t o n i n t h e l e f t p a n e .

5 0 . Y o u c a n d o w n lo a d a v a i la b le r e p o r t s w i th a .nessus e x te n s io n f r o m th e d r o p - d o w n lis t.

Download Report X

Download Format 1

Chapters

Q If you are manually creating "nessusrc" files, there are several parameters that can be configured to specify SSH authentications.

Chapter Selection Not Allowed

Cancel Submit

FIGURE 10.36: Download Report with .nessus extension

5 1 . N o w , c l ic k Log out.

5 2 . 111 th e N e s s u s S e r v e r M a n a g e r , c l ic k Stop Nessus Server.

P ■ * 6B M a <■׳־׳

■69■FIGURE 10.37: Log out Nessus

L a b A n a ly s is

D o c u m e n t all d ie re s u lts a n d r e p o r t s g a d ie r e d d u r in g d ie lab .

G 3 To stop Nessus server, go to the Nessus Server Manager and click Stop Nessus Server button.





Nessus

S c a n T a r g e t M a c h i n e : L o c a l H o s t

Perform ed Scan Po licy: N e t w o r k S c a n P o l ic y

Target I P Address: 1 0 .0 .0 .2

Result: L o c a l H o s t v u ln e r a b i l i t ie s


Q u e s t io n s

1. E v a lu a t e th e O S p l a t f o r m s t h a t N e s s u s h a s b u i ld s fo r . E v a lu a t e w h e t h e r

N e s s u s w o r k s w i t h t h e s e c u r i ty c e n te r .

2 . D e t e r m i n e h o w th e N e s s u s l i c e n s e w o r k s in a V M (V ir tu a l M a c h in e )

e n v i r o n m e n t .


es0 \

Platform Supported

0 Classroom

□ N o

□ iL a b s

CEH Lab Manual Page 186 Ethical Hacking and Countermeasures Copyright O by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.


Auditing Scanning by using Global Network InventoryGlobal]Seh) •ork Inventory is used as an audit scanner in ~ero deployment and agent-free environments. It scans conrp!iters by IP range, domain, con/p!iters or single computers, defined by the Global Netirork Inventory host file.L a b S c e n a r io

W i t h t h e d e v e l o p m e n t o f n e t w o r k t e c h n o lo g ie s a n d a p p l i c a t i o n s , n e t w o r k a t t a c k s a r e g r e a t ly i n c r e a s in g b o t h i n n u m b e r a n d s e v e r i ty . A t ta c k e r s a lw a y s l o o k

f o r service v u ln e r a b i l i t ie s a n d application v u ln e r a b i l i t ie s o n a n e tw o r k 0 1

s e r v e r s . I f a n a t t a c k e r f in d s a f la w o r l o o p h o l e in a s e r v ic e r u n o v e r th e I n t e r n e t ,

t h e a t t a c k e r w ill im m e d ia te ly u s e t h a t t o c o m p r o m i s e t h e e n t i r e s y s te m a n d

o t h e r d a ta f o u n d , th u s h e o r s h e c a n c o m p r o m i s e o t h e r s y s te m s 0 1 1 t h e n e tw o r k . S im ila r ly , i f th e a t t a c k e r f in d s a w o r k s t a t i o n w i t h administrative privileges w i th f a u l ts i n t h a t w o r k s t a t i o n ’s a p p l i c a t i o n s , th e y c a n e x e c u te a n

a r b i t r a r y c o d e 0 1 i m p la n t v i r u s e s t o i n t e n s i f y t h e d a m a g e t o th e n e tw o r k .

A s a k e y t e c h n i q u e i n n e tw o r k s e c u r i ty d o m a i n , i n t r u s i o n d e t e c t i o n s y s te m s

( I D S e s ) p la y a v i ta l r o le o f d e te c t in g v a r io u s k in d s o f a t t a c k s a n d s e c u r e th e

n e tw o r k s . S o , a s a n a d m i n i s t r a t o r y o u s h o u l d m a k e s u r e t h a t s e r v ic e s d o n o t r u n

a s t h e root user, a n d s h o u l d b e c a u t io u s o f p a t c h e s a n d u p d a te s f o r a p p l i c a t i o n s

f r o m v e n d o r s 0 1 s e c u r i ty o r g a n i z a t i o n s s u c h a s CERT a n d CVE. S a f e g u a r d s c a n

b e i m p le m e n te d s o t h a t e m a i l c l i e n t s o f tw a r e d o e s n o t a u to m a t i c a l l y o p e n o r

e x e c u te a t t a c h m e n t s . 1 1 1 t h i s la b , y o u w ill l e a r n h o w n e tw o r k s a r e s c a n n e d u s in g

th e G lo b a l N e t w o r k I n v e n t o r y to o l .


T h is l a b w ill s h o w y o u h o w n e tw o r k s c a n b e s c a n n e d a n d h o w t o u s e G lo b a l

N e t w o r k I n v e n t o r y . I t w ill t e a c h v o u h o w to :

ICON KEYa- Valuable

information

s Test yourknowledge

Web exercise

m Workbook review

U s e th e G lo b a l N e t w o r k I n v e n t o r y t o o l






■ G lo b a l N e tw o r k I n v e n to r y to o l lo c a te d a t D:\CEH-Tools\CEHv8 Module 03 Scanning Networks\Scanning Tools\Global Network Inventory Scanner

■ Y o u c a n a ls o d o w n lo a d th e l a t e s t v e r s io n o f G lo b a l N e t w o r k I n v e n t o r y

f r o m th is l in k

h t t p : / / w w w .m a g n e t o s o f t . c o m / p r o d u c t s / g l o b a l n e t w o r k i n v e n t o r y / g ni f e a t u r e s . h t m /

■ I f y o u d e c id e t o d o w n lo a d th e l a t e s t v e r s io n , t h e n screenshots s h o w n

in t h e la b m i g h t d i f f e r

■ A c o m p u te r r u n n in g Windows Server 2012 a s a t ta c k e r (h o s t m a c h in e )

■ A n o th e r c o m p u te r r u n n in g Window Server 2008 a s v ic t im (v irtu a l

m a c h in e )

■ A w e b b r o w s e r w i th I n t e r n e t a c c e ss

■ F o l lo w d ie w iz a rd - d r iv e n in s ta l la t io n s te p s t o in s ta l l Global Network Inventory

■ A d m in is t r a t iv e p r iv ile g e s t o r u n to o ls



O v e r v ie w o f G lo b a l N e t w o r k In v e n t o r y

G lo b a l N e tw o r k I n v e n t o r y is o n e o f d ie de facto to o ls fo r security auditing a n d

testing o f firew a lls a n d n e tw o rk s , i t is a ls o u s e d to e x p lo i t Idle Scanning.

L a b T a s k s

1. L a u n c h th e Start m e n u b y h o v e r i n g d ie m o u s e c u r s o r i n t h e lo w e r - le f t

c o r n e r o f d i e d e s k to p .


2. C lic k d ie Global Network Inventory a p p to o p e n d ie Global Network Inventory w in d o w .

ZZל Tools demonstrated in this lab are available in D:\CEH- Tools\CEHv8 Module 03 Scanning Networks

t a s k 1

Scanning the network



http://www.magnetosoft.com/products/global


5 t 9 Administrator £־׳|

ServerManager

WindowsPcrwerShell

GoogleChrome

Hn>er.VManager

fL m * וי

*J

ControlPanel

■F

Hypr-VWtualMachine.

SQLServs

*£

Mww&plcm

CommandPrompt

BMozfla£11*10*

S- BuiSearch 01.. Global

Nec»ort

PutBap © H

Scan computers by IP range, by domain, single computers, or computers, defined by the Global Network Inventory host file

FIGURE 112: Windows Server 2012 - Apps

3 . T l ie Global Network Inventory M a in w in d o w a p p e a r s a s s h o w n in d ie

fo l lo w in g fig u re .

4 . T h e Tip of Day w in d o w a ls o a p p e a rs ; c lic k Close.

& S c a n only items that you need by customizing scan elements

5. T u r n 0 1 1 Windows Server 2008 v ir tu a l m a c h in e f r o m H v p e r - V M a n a g e r .

FIGURE 11.3 Global Network Inventory Maui Window




FIGURE 11.4: Windows 2008 Virtual Machine

6 . N o w s w itc h b a c k to W in d o w s S e rv e r 2 0 1 2 m a c h in e , a n d a n e w A u d i t

W iz a rd w in d o w w ill a p p e a r . C lic k Next (o r i n d ie to o lb a r s e le c t Scan ta b

a n d c lic k Launch audit wizard).

□ Reliable IP detection and identification of network appliances such as network printers, document centers, hubs, and other devices

VIEWS SCAN R E S U L TS ,

/ N C L U D / N C HISTORIC R E S U L T S FOR ALL SCANS,

INDIVIDUAL M A CHINES,

OK7 . S e le c t IP range s c a n a n d t h e n c lick Next in d ie Audit Scan Mode w iz a rd .

SELECTED NUMBER OF ADDRESSES

New Audit Wizard

Welcome to the New Audit Wizard

Ths wizard will guide you through the process of creating a new inventory audit.

To continue, click Next.

c Back Next > Cancel

FIGURE 11.5: Global Network Inventory new audit wizard




New Audit Wizard

A u d it S can M odeTo start a new audfc scan you must choose the scenario that best fits how you w i I s ■ ( ^ Mbe using this scan.

O Single address scanChoose this mode i you want to audit a single computer

(•) IP range scanChoose this mode i you want to audit a group of computers wttwn a sr>gle IP range

O Domain scanChoose this mode i you want to audit computers that are part of the same doma»1(s)

0 Host file scanChoose this mode to audt computers specified in the host file The most commonscenario is to aud t a group of computers without auditing an IP range or a domain

O Export audit agentChoose this mode i you want to audit computers using a domain login script.An audit agent vwi be exported to a shared directory. It can later be used in thedomain loain scnoi.

To continue, c ic k Next.

1 < Back N ® d> Cancel

______

FIGURE 11.6: Global Network Inventory Audit Scan Mode

8. S e t a i l IP range s c a n a n d th e n c lic k Next in d ie IP Range Scan w iz a rd .

9 . 111 d ie Authentication Settings w iz a rd , se le c t Connect as a n d fill th e

r e s p e c te d c re d e n tia ls o f y o u r Windows Server 2008 Virtual Machine, a n d

c lic k Next.

Q Fully customizable layouts and color schemes on all views and reports

Export data to HTML, XML, Microsoft Excel, and text formats

Licenses are network- based rather than user- based. In addition, extra licenses to cover additional addresses can be purchased at any time if required




£□ The program comes with dozens of customizable reports. New reports can be easily added through the user interface

10. L iv e d ie s e t t in g s a s d e f a u l t a n d c lic k Finish to c o m p le te d ie w iz a rd .

(—7 Ability to generate reports on schedule after every scan, daily, weekly, or monthly

(§₪ To configure reports choose Reports | Configure reports from the main menu and select a report from a tree control on a left. Each report can be configured independently

11. I t d isp la y s d ie Scanning progress i n d ie Scan progress w in d o w .

New Audit Wizard

Completing the New Audit Wizard

You are ready to start a new IP range scan You can set the following options for this scan:

@ Do not record unavailable nodes @ Open scan progress dialog when scan starts

Rescan nodes that have been successfJy scanned

Rescan, but no more than once a day

To complete this wizard, d ick Finish.

< Back finah Cancel

FIGURE 11.9: Global Network Inventory final Audit wizard

New Audit Wizard

Authentication SettingsSpecify the authentication settings to use to connect to a remote computer

O Connect as cxrrertiy logged on user

( • ) Connect as

Domain \ User name a d ^ ir iS '3 •׳-)

Password ...........'

To continue, dck Next

< Back Nert > Caned

FIGURE 11.8 Global Network Inventory Authentication settings




Q Filtering is a quick way to find a subset of data within a dataset. A filtered gnd displays only the nodes that meet the criteria you specified for a column(s)

12. A f te r c o m p le t io n , scanning results c a n b e v ie w e d a s s h o w n i n th e

fo l lo w in g fig u re .

0 Global Network Inventory lets you change grid layout simply by dragging column headers using the mouse. Dropping a header onto the Grouping pane groups data according to the values stored within the "grouped" column

FIGURE 11.11: Global Network Inventory result window

13. N o w se le c t Windows Server 2008 m a c h in e f r o m v ie w re s u lts to v ie w

in d iv id u a l re su lts .

Globa' Network Inventory - Unregistered

Pf i e V iew Stan Tools Reports Help

i'v - □]E r BlBWtalri~»EI] u *י ?a Logged or \ 5׳1׳ ^ ;NotBlOS | A Shanes JW liter gr-t n

Carr ie♦ s>«en Q PiocMMn ^ Man beard Q Memory mu Memory deuces H Detflcp :> ך rcmnaon ] Syttern *tat» |A) Hotftxet סז«ר

A- !tanrnre 0$:־»1מ#ויוי Icgralriskt ( a I w a w rjqr Hrrfert Networt :.-ז־ . mrrrScar M W i ^ ( p#rat:r.r |Q g !•rwit

Verrfa ' 03 Mams ־» FtoccJia ... *־ Coimtert״־

| Tircitamp ..MAC A ־י HoalN... ▼J Status ־י

d Doran WORKGROUP [COUNT-2)IP Add© «: ‘ 0.0 0.4 (C0U NT-11

Tn«to ro :& 22/2012 3 36:49PM (COUNT-1)Coroj.. |v/N «■־ LLV05(| Succcii |C0-15 5DQ01 Micro:)*Ca V irccw ; Server |

JIPAdde«.10.a0.7|CO UNT1־ |1 Trrcj»a36.30 3 2012 ״3. ׳&22׳< PM (C0UNT «1 ]

•» C«־K>j..[v/N€3SMn|Succ0M |D4־BE־D3־C'|R«rtek |lnts(Rl Co!e(fM' Serial; H2D2<

Oisplaye^roiJp^J^roups

[ r 1RtJu ltJfT iitorydept^LiJtuariortachaM re^s

Tow ?Henr(t)

Niirt- MpIa■ addresses

$ WORKGROUP ־:■I 10.0JX7 (WIN-D39... ■m 1a0JX־« (W1N-ULV8...

i J Scan progress

מ Address Name Percent Tmestamp 1 A0 10.0.0.2 — E ! % 06/22/1215 38:31 10.0.0.3 E * 08/22/1215:36:232 10.0.0.4 W1N-ULY858KHQIP 852 08/22/1215:36:253 ו 0.0.0.5 E ! * 08/22/1215:36:23 =4 ו 0.0 06 AOMINPC 9 2*4 | 06/22/1215:36:235 10.0.0.7 WIN-039MR5HL9E4 92* | 06/22/1215:36:226 10.0.08 ! z z 08/22/1215:36:237 10.009 ^ z _ 08/22/1215:36 248 100010

W06/22/1215:36 24

9 100011 E * 08/22/1215:36:2410 10.0.0.12 ' E * 08/22/1215:36:24וו 100013 ' E * 08/22/1215:36:24ו2 10.0.014 I E * 06/22/1215:36:24

rtn m ר

@ Open this dialog sdien scan starts Elapsed time: 0 min 6 sec

@ Close this dialog when scan completes Scanned nodes: 0/24

@ D on l display completed scans

. Sl0p _ Cl°” 1/ FIGURE 11.10: Global Network Inventory Scanning Progress




l - l ° W *Global Network Inventory ־ UniegisleredM e view scan Tool( Report < Help

in - %-u110|s^Pig ¥ B|Q|^|a|D|B-B # ® , Looca d!s\s -־ מ-י'■ Z»: ־ ל•־- : * B ' ״ tens ■£־ Netr*of. adapter:

Port arredoR | System dots | Hot fxes 3e;jr**• certer | 3 ■ Startup ■׳ Desktoo^ Orvces 3 NetBIOS | Shores L » ^cvps ^ Lbcre | J Logged crj| Computer yysten Q Po;c3:cn> '•';־׳י bosd ^ Morer) B8

Scan •unrary §, ^ 0 tn3:,־:.: ten ,ft K3:. ׳'

Type ״ HoitN » SMtu: י MAC A * Vanda » CJS * Proceisci w Cornu w r »

J Duiein * o׳ ^ e n a jp COUNT-11JIPAddrew 10XL0.7 (COUNT =1 ן

TncUaro: G/22/2012 3:36:38 PM (CO UN T -1)■» C5T0J. jV/N 039MR Succe« |D4־BE D9C|Rcakk ntsfR] Corc(TM' Send: H202!

t* ss 3 □ 8N*rrcB יי AH addresses י

B- <* WORKGROUP*rfcT1DC.07tV/1N-D Tn

מ‘ •« C J4 ‘fw¥-ULY3״‘

êsufc^jto^jegtôj^caôôc^cdfcjRe»dyFIGURE 11.12 Global Network Inventory Individual machine results

14. T h e Scan Summary s e c t io n g iv e s y o u a b r i e f s u m m a r y o f d ie m a c h in e s th a t

h a v e b e e n s c a n n e d

1- ־ rGlobal Network Inventory ־ Unregistered

1 -sa a w-fie VHvr Scan Tools Reports Melo

*5 'tin>lcr5 k Mcritofj | {jjjj Logical dska ^ CX>k &tszi mo "Sntcn | j* Networx oocpteo כ נ

yw cto i ( j S eton dot• Hoi focce Q Socuty ccrto■ J Startup | H Dcck!op ^Sn Dovcoi [#J NoifcKJS | ^ Sharoe U w group( ^ U*«ra LoggoCon

Menoiy cevicee י* J -: Tp-M< tyrte-r Q *5 י :■ :•;ore ^ Mantcsrdervces^ | !=■־» p Q :.,־■=!;•׳! |l#| Scan anrm y j ®] uperatmg

□ ]e t 1▼ a x

Hcs4 H.. - Status ־״ MAC A... ״־■ barrio- ~ OSKsrw ״■Corrmert ״י ..Prco3350r ־י ־l־.JLrJ ־- d׳ t 'o m a r : \v t R r . i i - O U

lrvel(R)Core(TM; Seiial H?ר?

^ P 3 d * e « : IC .0.0 : CQUNT=1J _____________________________

Id Tn rg ra« p B /22;2P lZ3-36 ^ P M [C D U H r = l l

| ;*» Ccnpu |WM-039VIR|S1jrowt rU-BF-D»C:| R^rri

em(s)ו rTotal 4 ־r1 ־1

n 1* a □ * aNam•י - ■! A 1 addrestM

S f״ WORKGROUPlj1CM7iN-D l־.־.:■I lOiXOi’ N-ULYC"

^c lt iiitorydepthj

FIGURE 11.13: Global Inventory Scan Summary tab

15. T h e Bios s e c t io n g iv e s d e ta ils o f B io s se ttin g s .

& * Global Network Inventory grid color scheme is completely customizable.You can change Global Network Inventory colors by selecting Tools | Grid colors from main menu and changing colors

To configure םresults history level choose Scan | Results history level from the main menu and set the desired history level




a Scan only items that you need by customizing scan elements

16. T l ie Memory ta b s u m m a r iz e s d ie m e m o r y in y o u r s c a n n e d m a c h in e .

£□ E-mail address - Specifies the e- mail address that people should use when sending e- mail to you at this account. The e- mail address must be in the format name(ftcompany— for example, someone@mycom pany.com

17. I n d ie NetBIOS s e c t io n , c o m p le te d e ta ils c a n b e v ie w e d .

Global Network Inventory - UnregisteredFie View Scan Tools Reports help

* H ח • e V iB lB & lm lH F i- ii i ®- -•:!־־־ •> Network a d ^ c n !

Q 1 י«ת0ו׳*חווו | 'J. b*r/1r*c■t•5 ׳■ startup | k י««»ים>

%- I Iwt orMwitMV f l w f «

■ » \M 0© coofirokn L • Mentors | g j Logical daks t M Oak ± n

* I j0> tf| Operating S,׳d-•"J* y - . ־ ■־ »ct*noct •■־ ״ti׳׳■(׳ fff

D»ve*t [#] N*BI0S | I Shw*1 p UMfcro״j

Td a lP h ^ c d v e n w x / .M a - S a la b le H-yrea... - Total vfcuaL. ~ A v a to e V rt ja . . . - lo ta ...- - ftvalable..■-

d[D V .C R t5 F 0 U P [C rM J N '= ]J

Hcsr Marre 3 9 ^ ^ MF5HL9E4־ (C0U!\iT=1)

J ־ hres-aap f t 2 ׳22׳/ C12 3:36 3B PM (COUNT־ ) |3317

7 o b i 1 itsu ;1

v w w r» u R < ▼ a x

* * s « a □ מ «N a m *

H % A ll *ddtesse*

4 # WORKGROUP

w *■־ p y ־■m I0.C.0.4 (W IN -U LY8...

O iip la /e d group: All groupsResults history depth: Last scan for each address

FIGURE 11.15: Global Network Inventory Memory tab

־ x ז ' ° '1Global Network Inventory ־ Unregistered

El & ,to •״ H5!H i ]^ k rr- q■ . ״ . .7: ■> f,7. . •^ד־ Por. -annccfcrc Q System dots Hct fixes ^ Srcurti־ cater 3" Startup ■ Desktop

Derive* 2 MdBIOS J . Shares jscr j a n )£• 1555 | ^ Lccocd orP Pocessots Mar :>c*od Mcrcry >*י Memory devices

J ^ Opcra.i-10 Cvs.or Q fc l יי rent

f i t view 5 tan Tools Report( Help

ז ־ 1 SJ1 '’־□ E T? |5|□icwresufts ׳ייי X

S c a i aum anr

1 01*1 ו

Q 'tp lt /« d group: All grouptR«t uttt h ittory d«pth: Latt t o n for tacft a f lc r t t;

* 8 9 £ □ J 5

N a rrc _

H * P All addresses

B 5 ‘ WORKGROUP■fc f1M0T'(\vi‘N-639.7 ־{ ■ ...VIN-IJI Y8<נ*ר 10.0.1

»U»d/FIGURE 11.14: Global Network Inventory Bios summary tab




Message subject - Type the Subject of your message. Global Network Inventory cannot post a message that does not contain a subject

FIGURE 11:16: Global Network Inventory NetBIOS tab

18. T h e User Groups ta b s h o w s u s e r a c c o u n t d e ta ils w i th d ie w o r k g ro u p .

□ Name - Specifies

the friendly name associated with your e-mail address. When you send messages, this name appears in the From box of your outgoing messages

19. T h e Logged on t a b s h o w s d e ta i le d lo g g e d o n d e ta i ls o f d ie m a c h in e .

Unregistered ־ IG'obel Network Inventory ־ 1 םF ie View Scan Tools Reports Help

[□ E T |E p |g |B ) |• ־ IB; * a ■aMemory מ Mcntcry cfcvccs odatfco ,־Prrtco •> Netted ■י

n -nvrormont cr J Ctoitup ■ Deaktoo A- _bera I, Lojj=d or

2 Conjuta srrf— Q Prccc350ra | Mar board I J) jj] Opcralinq Cyslcrr Q כ Locicoldbks ^ D»sdr>c*m #> CIO רה k Vent :־ccc •I־«

Q ij0 «• ^ Devicc: It#] Net Cl DC י 7 Shares | J? Jxryw

H ostN cne ־/ / * -D39-4R5HL9E4(COUNT-51

z i ' rrescanp: E /22 '20 12 3:36:38 FM ( COUN5- ל ]

z i G io j j ^ r w 'is ’rafcr: (C0UNT=1)

/ / ! S 0 CEN R 5HL3E4'>Adrim$tratoi U5cr occcurt

z i Gr^JD: C KttK ited CUM Useis (COUN I - 1 1

WlS-O394R5HL3E4\Ad1rini?trdt01 U ;e 1 accourt

_J G r»ô: Gue:»; COUNT-1)

Jk• Ul f l r<03־E MR 5 H L g 5 \ 4 ussl־ U8#f accourt

d C 1 0 * . I IS J U S f iS COUNT■!)% NT >־ F\lZcV^cpcrlSc«vor VV«# krcv׳n gtcup oooounl

z i G ro w Pfftavure* 1 rg U n i t (COUNT ■1)

TU0I5 i cn|i|

HI as a □ *3 $Narr«

*i* All address•:- i f WORKGROUP

? S i i i l L»• iaiJiw N S:׳

Displayed group; All qioupaRcsuMts history depth: Lost scan foi each ooaes!Rsad/

FIGURE 11.17: Global Network Inventory User groups section

; - ! o rGlobal Network Inventory ־ UnregisteredF ie v iew S o n Tools Reports Help

! □ i s ? i B i a i a s p 5 ! ■ ! a & » B

Mencry ®S Memory device(

4• Scan 3JTTmarv ♦ S) hitdted «yt *sre Cl nvmmgrt |;& Servicesד Port conrwctre Cl Qf S*drt/M׳t«r Startup 3ל." | ■ Destdop

logged on

zJ Harr l l i n*033*| , ׳ י\ vF5H. =)E 4 (COLNT=3)Tir^HatF B/22;2C12 3:3ft 38 FM (COUN T 3־)*[V/K-039M Ro- LSE4<0>aJ> Lmqj? Woikstatcr ServiceX WK C •SM R LSE4<Ox20S־ Unque Fie Server Service3 WORKGROUP <0x00> Group Domain Name

Toid3i.enld

t»<pt»/»d g roup: All g roupsRemits history depth ia<t scan ret earn naorett

V*y* results

Narre- & I addresses

B-fi־ WORKGROUP1C.0.C.’ (WIN-D39. 19 1 0 ^ f^ U LY «::

Rea fly




& Port ־ Specifies the port number you connect to on your outgoing e- mail (SMTP) server. This port number is usually25.

2 0 . T h e Port connectors s e c t io n s h o w s p o r t s c o n n e c t e d i n d ie n e tw o rk .

Outgoing mail (SMTP) ־ Specifies your Simple Mail Transfer Protocol (SMTP) server for outgoing messages

2 1 . T h e Service s e c t io n g iv e d ie d e ta i ls o f d ie s e rv ic e s in s ta l le d i n d ie m a c h in e .

Globa' Network Inventory - UnregisteredSTScan Toolt Report( HelpFile

1S1 User* | Logged onmay Memory devus

:Networx 0d3?1cr ׳־£•Q fcrvronm nt | S«m :«

a Startup !r j Desktop

NetBIOS £ Sharps J i. Lften Fiocessois ^ M<ji1 b0 f J

L . l-bntcrj £ Logcal disks D:* WOS | S ) 0p«1fcrg Syr«r ן—

JO ^ hrr י; c jn c u r r r jr ,

Port connectors

Dorian. V/D^KOROU? (C0UNT=25IJ he*• Hare: t*׳T. D39MR5HLJ3E4(COUNT-25)J ttaro: &'22/2D12 33638 PM (COUNT =26)*״■ 1

DH״ 73’ Serial Por 1S55CA Conpattle D69־.Maleז7«ככ Keyt»01d Port FS/2

’7 ODH M oucc Pori FS/2’703H USB &m> 51 bust7o0h USB’70311 UCD *CCOH.blM,703H USB Aco#st.but

ז alal 25 Atris

Disj ayecl arouo; All aroupsFes jts nistory deptn: Last scan foi ecdi cCtite><

vipwrûi: w a xa ש b #

NameH- All SddtKteS

f r £* WORKGROUP■» F ll^ T fMM־״Di ־9־־־־־■ 0 ""ULY8־N׳fW׳W).»־ 10

FIGURE 11.19: Global Network Inventory Port connectors tab

״ ■ ״ ■1 - 1Globa! Network Inventory ־ UnregisteredMe view 5<ar tools Reports Help

§3-□Is ? Hc1®e/ -•1a & ׳״J a וגב id syiefi Q Processors £ Main beard ^ Nenoiy w Memory de/ces \ ^ L> j1d j s v j Q Di:-•. J . £■ Net ■-.m Scansuranaiy ^ BICS |.§) Ooefatro System l£־) totaled software | ( | Environment Services |

Port comedo* Q } System slots | Hotfixes ^ Sea it) eerier _J■ 3.<n:u,__HL_2s5tlSB_JC־־r ■ r . '* {3 0 S 2' Sfia'es > U stty. Users | j> Logged or J

Ho aNo k WH-033NR5HL3E4 (COUNTS

1 NT SERV.CE >M sDisServerl 10f H” SERVCE'MSSQLFDLounchct*, N־ S£RVC£\MS$QLSERVERf N־ SERVCE'MSSQLSer/eiOLAPSeiviee* , N־ SERVCE'RcportScrva£ \AH D39MREHL9E4\A<irnriatral:or 38/22/12 09:01:20

Oowove rou lUroupsResults fcitory depth lost icon lor toch address

V«w resuKs

*2 » י ־־ □ mN e irc _

E % All addresses S f WORKGROUP

;1dbix7"(wi׳N-D3g... ;■ '160.04 (WIN-ULY8...

Rod/FIGURE 11.18: Global Network Inventory Lowed on Section




R = rGloba! Network Inventory ־ UnregisteredMe view 5rar Tools Reports Help

־ - בס[*$ ־® H e p H B]®e| •-•Eg & ׳״NetBOS

Dp f Devices et30S | Shares £ User croups Jsers | Loaaedor

g Q C i Main board ^ Memory n Msrrcryde/cesPort cornedas Q f System slots | Hotfixes ^ Secut) center £ Startup ■ Desktoo |

*i ' jjjj — "»| u n ic i t | S c r r iso :13 ויין (i g ״c t iu Svtte .1• 3 0גי M

-N»♦z i Domr* V»ORC13RO UP |CDUMI«l4/)

_!J Hcs׳ *sLan WIM^»IR5HL9E4(COUNT■!47|z i rrânp 3/22!20H 3 3&38FM [COUNT =147)

. Ldcte A cxb 2t U pcare Ser/ce

, £ p f teanon E>o=r1enee

41loma1׳e

Manual

R ufM rg

R u m rg

:־־ 'P?!1g-an Filei [vf־fc)\Comrmn Fite'iAdobi

C־ vV.mdowt\system32\svehott eye •k netsv

. fcanon Host Helper Service Automatic R j 'i ' i r g C «V.»Klowt\^1srern32\fivch0ftexe •k apphr^ A p p fc a n o n Identtji

A pflcanon Intonation

Manual

Manual

S tc ffe d

R im r g

C־*\fcmdow1\svstem32\svc*r0ft.exe •k Local

C »V.m<tem(t\sysiern32\svcf10fr.exe •k netsv

. Apffcrariofi Layer 5 areway Service Manual S iq^ ied C ,V,mdowt\S3i5tem32Ulg >־»=(Apffcarion Manarjenenr Manual C »\Mn<low?\system32Nsvchotr exe •k ne tw

10taH47 toart :J

Oowove rou lUroupsResults fcitory depth lost icon lor to<h address

View re<ufts

*1 *9 2 □ mN e ir c _E % All addresses

S f W O RKG RO UPy־ 1• 'a a ’7 iw i‘N-D38’״" ’ ;■ '160.04 (WIN-ULY8...

Rod/FIGURE 11J20: Global Network Inventory Services Section

2 2 . T h e Network Adapters s e c t io n s h o w s d ie Adapter IP a n d Adapter type.

S To create a new custom report that includes more than one scan element, click choose Reports | Configure reports from the main menu, click the Add button on the reports dialog, customize settings as desired, and click the OK button

Unregistered ־ 1Global Network Inventory־

Q 'll ׳״> & Reports Help

1 t*ga• □ e vFie view Stan Tools

I* ״^ D c *c « [# J NetBIOS | ^ SK3X3 4■ U3cr<rouF3 JL• Uacn ^ Looocdon j| Conputer ו*€<־ת Q Prooeaaora Mom boane f j j Memory B?1 Memory devicesy Tort c«medoo Q System alots | Hotfixes ^ Ccc^rfy eerier j * Startup | H Desktop H Scan ajrrrcrv ^ 80S |׳jgj] Cporatrj Syotom IrwUkd •oftwuo B Envtrontnonrt I ׳J, Sorvcooh■ v®00 1- ?מ | v

| E therrct QIC | N 0- Tinettarp: 1rj2>233 6 : 3 3 FM (COUNT-11 ־ 2 3 ך g • W w iih w lE fo . |P4:BE:D9:C|100.D7 l2552EE.2g|1H.01 [vicreolt

I otall ren^j

'/cwrcsuR; ▼ ל X

r-l □ E $Narr<B V l All addr»<«#e

y~*£ WORKGROUP

■- m o״M (w n ' u’l^ " . " ’

êsujt^jjto^jepthâsâô^seJ ddrts^Rea

& A security account password is created to make sure that no other user can log on to Global Network Inventory. By default, Global Network Inventory uses a blank password

FIGURE 11.21: Global Network Inventory Network Adapter tab

L a b A n a ly s is

D o c u m e n t all d ie I P a d d re s s e s , o p e n p o r t s a n d r u n n in g a p p lic a tio n s , a n d p r o to c o ls

y o u d is c o v e re d d u r in g d ie lab .





I P S c a n R a n g e : 1 0 .0 .0 .1 — 1 0 .0 .0 .5 0

S c a n n e d I P A d d r e s s : 1 0 .0 .0 .7 ,1 0 .0 .0 .4

R e s u l t :

■ S c a n s u m m a r y

G l o b a l N e t w o r k■ B io s

I n v e n t o r y ■ M e m o r y

■ N e t B I O S

■ U s e r G r o u p

■ L o g g e d O n

■ P o r t c o n n e c t o r

■ S e rv ic e s

■ N e t w o r k A d a p t e r


Q u e s t io n s

1. C a n G lo b a l N e t w o r k I n v e n t o r y a u d i t r e m o t e c o m p u t e r s a n d n e t w o r k

a p p l i a n c e s , a n d i f y e s , h o w ?

2 . H o w c a n y o u e x p o r t th e G lo b a l N e t w o r k a g e n t t o a s h a r e d n e tw o r k

d i r e c to r y ?


□ Yes 0 N o

Platform Supported





A nonym ous B row sing using Proxy S w itch erProxy Switcher allowsyou to automatically execute actions; based on the detected netnork connection.

L a b S c e n a r i o

111 t h e p r e v i o u s la b , y o u g a t h e r e d i n f o r m a t i o n l i k e s c a n s u m m a r y , N e t B I O S

d e t a i l s , s e r v ic e s r u n n i n g o n a c o m p u t e r , e t c . u s in g G l o b a l N e t w o r k I n v e n t o r y .

N e t B I O S p r o v i d e s p r o g r a m s w i t h a u n i f o r m s e t o f c o m m a n d s f o r r e q u e s t in g

d i e l o w e r - l e v e l s e r v ic e s d i a t d i e p r o g r a m s m u s t h a v e t o m a n a g e n a m e s , c o n d u c t

s e s s io n s , a n d s e n d d a t a g r a m s b e t w e e n n o d e s o n a n e t w o r k . V u l n e r a b i l i t y l ia s

b e e n i d e n t i f i e d i n M i c r o s o f t W i n d o w s , w h i c h i n v o l v e s o n e o f t h e N e t B I O S

o v e r T C P / I P ( N e t B T ) s e r v ic e s , t h e N e t B I O S N a m e S e r v e r ( N B N S ) . W i t h d i i s

s e r v ic e , t h e a t t a c k e r c a n f i n d a c o m p u t e r ’ s I P a d d r e s s b y u s in g i t s N e t B I O S

n a m e , a n d v i c e v e r s a . T h e r e s p o n s e t o a N e t B T n a m e s e r v ic e q u e r y m a y c o n t a i n

r a n d o m d a ta f r o m t h e d e s t i n a t i o n c o m p u t e r ’ s m e m o r y ; a n a t t a c k e r c o u ld s e e k

t o e x p l o i t t h i s v u l n e r a b i l i t y b y s e n d in g t h e d e s t i n a t i o n c o m p u t e r a N e t B T n a m e

s e r v ic e q u e r y a n d t h e n l o o k i n g c a r e f u l l y a t t h e r e s p o n s e t o d e t e r m in e w h e t h e r

a n y r a n d o m d a ta f r o m t h a t c o m p u t e r 's m e m o r y is i n c lu d e d .

A s a n e x p e r t p e n e t r a t i o n t e s t e r , y o u s h o u ld f o l l o w t y p i c a l s e c u r i t y p r a c t i c e s , t o

b l o c k s u c h I n t e r n e t - b a s e d a t t a c k s b l o c k t h e p o r t 1 3 7 U s e r D a t a g r a m P r o t o c o l

( U D P ) a t t h e f i r e w a l l . Y o u m u s t a ls o u n d e r s t a n d h o w n e t w o r k s a r e s c a n n e d

u s in g P r o x y S w i t c h e r .

L a b O b j e c t i v e s

T h i s l a b w i l l s h o w y o u h o w n e t w o r k s c a n b e s c a n n e d a n d h o w t o u s e P r o x y

S w i t c h e r . I t w i l l t e a c h y o u h o w to :

■ H i d e y o u r I P a d d r e s s f r o m t h e w e b s i t e s y o u v i s i t

■ P r o x y s e r v e r s w i t c h i n g f o r i m p r o v e d a n o n y m o u s s u r f i n g

I C O N K E Y

p = 7 V a lu a b le

in f o r m a t io n

T e s t y o u r

k n o w le d g e

w W e b e x e rc is e

Q W o r k b o o k r e v ie w




L a b E n v i r o n m e n t

T o c a n y o u t t h e l a b , y o u n e e d :

■ P r o x y S w i t c h e r is lo c a t e d a t D:\CEH-Tools\CEHv8 Module 03 Scanning Networks\Proxy Tools\Proxy Sw itcher

■ Y o u c a n a ls o d o w n l o a d t h e la t e s t v e r s io n o f P r o x y W o r k b e n c h f r o m

t h i s l i n k h t t p : / / w w w . p r o x y s w i t c h e r . c o m /

■ I f y o u d e c id e t o d o w n l o a d t h e l a t e s t v e r s io n , t h e n s c r e e n s h o t s s h o w n i n

t h e la b m i g h t d i f f e r

■ A c o m p u t e r r u n n i n g Windows Server 2012

■ A w e b b r o w s e r w i t h I n t e r n e t a c c e s s

■ F o l l o w W iz a r d - d r i v e n in s t a l l a t i o n s te p s t o in s t a l l Proxy Sw itcher

■ A d m i n i s t r a t i v e p r iv i le g e s t o r u n t o o ls

L a b D u r a t i o n

T im e : 1 5 M in u t e s

O v e r v i e w o f P r o x y S w i t c h e r

P r o x y S w i t c h e r a l lo w s y o u t o a u t o m a t ic a l l y e x e c u te a c t io n s , b a s e d o n t h e d e te c te d

n e t w o r k c o n n e c t io n . A s t h e n a m e in d ic a te s , P r o x y S w i t c h e r c o m e s w i t h s o m e

d e f a u l t a c t io n s , f o r e x a m p le , s e t t in g p r o x y s e t t in g s f o r I n t e r n e t E x p l o r e r , F i r e f o x ,

a n d O p e r a .

L a b T a s k s

1. I n s t a l l P r o x y W o r k b e n c h i n Windows Server 2012 ( H o s t M a c h in e )

2 . P r o x y S w i t c h e r is l o c a t e d a t D:\CEH-Tools\CEHv8 Module 03 Scanning Networks\Proxy Tools\Proxy Sw itcher

3 . F o l l o w t h e w i z a r d - d r i v e n i n s t a l l a t i o n s te p s a n d i n s t a l l i t i n a l l p l a t f o r m s

o f t h e Windows operating system.

4 . T h i s la b w i l l w o r k i n t h e C E H la b e n v i r o n m e n t - o n Windows Server 2012, W indows Server 2008י a n d Windows 7

5 . O p e n t h e F i r e f o x b r o w s e r i n y o u r Windows Server 2012, g o t o Tools, a n d

c l i c k Options i n d ie m e n u b a r .

2 " Tools dem onstrated in th is lab are available in D:\CEH- Tools\CEHv8 Module 03 Scanning Networks

C l Autom atic change of proxy configurations (or any other action) based on netw ork inform ation



http://www.proxyswitcher.com/


Google Moiillo Fitefox

fi *e •!1• -■cc9u

Documents Calendar Mote •

Sign n

colt | HtJp

Qownloatfs CW-Imoderns cm *v״«*AS<* UpS^K.Web DeveloperPage Info

Cle«r Recent Ustsr. 01+“ Sh1ft*IW

♦You Search Images

G o o g le

Gocgie Search I'm feeling Lucky

•Google Aboul Google Google comA6.««t>11ng Piogammei Business SolUion* P iracy t Te

F IG U R E 121: F ire fo x options tab

6 . G o t o d ie Advanced p r o f i l e i n d ie Options w iz a r d o f F i r e f o x , a n d s e le c t

Network t a b , a n d d i e n c l i c k Settings.Options

ם & §י % p * k 3General Tabs Content Applications Privacy Secuiity S>nc Advanced

| S g tn g i.

Clear Now

Clear Nov/

Exceptions..

General | MetworV j Update | Encryption j Connection

Configure how h refoi connects to the Internet

Cached Web Content

Your vreb content cache >s currently using 8.7 M B of disk space

I I Override automate cache management

Limit cache to | 1024-9] MB of space

Offline Web Content and User Data

You 1 application cache is c j i ie n t l / using 0 bytes 0 1 disk space

M Tell me when a wefccite aclrt to store Hat* for offline uce

The follov/ing tvebsites aie a lowed to store data for offline use

Bar eve..

HelpCancelOK

F IG U R E 1 2 2 F ire fo x N e tw o rk Settings

7 . S e le c t d ie Use System proxy settings r a d io b u t t o n , a n d c l i c k OK.

C3 Often different internet connections require completely different proxy server settings and it's a real pain to change them manually

k׳3 P ro x y S w itch e r fu lly co m p a tib le w ith In te rn e t E x p lo re r, F ire fo x , O p e ra an d o th e r p rog ram s




־ י י Connection SettingsיConfigure Poxies to Access the Internet

O No prox^

Auto-detect proxy settings fo (־' r this network

(•) Use system proxy settings

M anua l proxy configuration :

HTTP 5rojjy: 127.0.0.1

@ Uje this prcxy server fo r all protocols

P firt

Port

Port

SSLVoxy: 127.0.0.1

FTP *roxy. 127.0.0.1

SOCKS H ost 127.0.0.1

O SOCKS v4 ® SOCKS v5

No Pro>y fo r

localhcst, 127.0.0.1

Reload

Example: .mozilla.org, .net.nz, 192.168.1.0/24

O Automatic proxy configuration URL:

HelpCancelOK

f i proxy switcher supports following command line options:

-d: Activate direct connection

F IG U R E 12.3: F ire fo x C o n n ection Settings

8 . N o w t o I n s t a l l P r o x y S w i t c h e r S t a n d a r d , f o l l o w t h e w i z a r d - d r i v e n

i n s t a l l a t i o n s te p s .

9 . T o l a u n c h P r o x y S w i t c h e r S t a n d a r d , g o t o S ta rt m e n u b y h o v e r i n g d i e

m o u s e c u r s o r i n d i e l o w e r - l e f t c o r n e r o f t h e d e s k t o p .

F IG U R E 124: W m dcKvs Server 2012 - D esk to p v iew

1 0 . C l i c k d ie Proxy S w itcher Standard a p p t o o p e n d ie Proxy Sw itcherw in d o w .

O R

T A S K 1

Proxy Servers Downloading

C l i c k Proxy S w itcher f r o m d ie T r a y I c o n l is t .




S t a r t A d m in is tra to r ^

Server Windows Google Hyper-V GlobalManager RowerShetl Chrome Marvager Network

Inventory

F s b W * 9 1 S I

Compute Control Hyper-VPanel

Machine... Centof...

y v 9 K

. Command M021I4 PKKVSw*Prompt F refox

v r r <0 *£«p«- *

ProxyChecker

CM*up , י ►ר.

F IG U R E 125: W in d o w s Se rve r 2012 - A p p s

s S e r v e r .

at* o

Customize... j a t e D a t a c e n t e r

A / Q \ t— 1 l A r - r ״1׳ / ! ^ D p ^ u i l d 8 4 0 0

F IG U R E 126: Se lect P ro x y Sw itch er

1 1 . T h e Proxy L is t Wizard w i l l a p p e a r as s h o w n i n d i e f o l l o w i n g f ig u r e ; c l i c k

Next


£□ Proxy Switcher is free to use without limitations for personal and commercial use

ם i f th e se rve r b ecom es in access ib le P ro x y S w itch e r w ill try to fin d w o rk in g p ro x y se rve r ־ a red d ish b ack g ro u n d w ill be d isp laye d t ill a w o rk in g p ro x y se rve r is fo u n d .



£3 Proxy Sw ־ itcher ssupports fo r LAN, dialup, VPN and o ther RAS connections

1 2 . S e le c t d ie Find New Server, Rescan Server, Recheck Dead r a d io b u t t o n

f r o m Common Task, a n d c l i c k Finish.

& Proxy ־sw itch ing from command line (can be used a t logon toau tom atica lly setconnectionsettings).

13 . A l i s t o f downloaded proxy servers w i l l s h o w i n d ie l e f t p a n e l .

Proxy List Wizard

Uang this wizard you can qcackly complete common proxy lot managment tasks

Cick finish to continue.

Common Tasks(•) find New Servers. Rescan Servers. Recheck Dead

O Find 100 New Proxy Servers

O find New Proxy Severs Located in a Specific Country

O Rescan Working and Anonymous Proxy Servers

CanedFinish< Back0 Show Wizard on Startup

F IG U R E 12.8: Se lect com m on tasks

Proxy List Wizard

Welcome to the Proxy Switcher

Using this wizard you can quickly complete common proxy list managment tasks.

To continue, dick Next

CancelNext >@ Show Wizard on Startup <Back

F IG U R E 127: P ro x y L is t w izard




I MProxy Switcher Unregistered ( Direct Connection ]

File Edit Actions View Help

Filer Proxy Serversא

ARoxy Scanner Serve* State ResDDnte Countiy

M * New (683) , ? 93.151.160.197:1080 Testino 17082ns H RJSSIAN FEDERATIONB &־ high Aronymsus (0) £ 93.151.1€0.195:108Q Teetirg 17035n« m a RJSSIAN FEDERATION

SSL (0) 93.150.9.381C80 Testing 15631ns RJSSIAN FEDERATION£ : Bte(O) knnel-113-68vprforge.com Lhtested

i מ Dead (2871) , f 93 126.111210:80 Lhtested * UNITED STATES2 Permanently (656?) £ 95.170.181 121 8080 lht*ct*d m a RJSSIAN FEDERATION

1— Book. Anonymity (301) < Cו 368 95.159 ? Lhtested “ SYR;AM ARAD REPUBLIC£־ ן—-5 Pnva!e (15) 95.159.31.31:80 Lhtested — b ׳ KAN AKAB KtPUBLIt

V t t Dangerous (597) 95.159 3M 4 80 Lhtested “ SYRIAN ARAB REPUBLICf~־& My P0׳* / Servere (0) , f 94.59.250 71:8118 Lhtoetod ^ 5 UNITED ARAB EMIRATES:— PnwcySwitchcr (0) * - ................ __ Lt itcatgd___ C UNITED AR\B EMIRATES

Caned

Fbu׳»d1500

MZ3 28 kb

ProgressStateConpbte

Conpfcte

S te f r e Core PrcxyNet wviw .ali veoroxy .com mw .cyberayndrome .net״

<w!w nrtime.com

DL&F IG U R E 129: L is t o f dow nloadeed P ro s y Server

1 4 . T o stop d o w n lo a d in g d ie p r o x y s e r v e r c l i c k

L= Jg ' x 1Proxy Switcher Unregistered ( Direct Connection )

File Edit Actions View Help

«filer Fox/ Servers

r

Couriry J HONG KONG | ITALY

»: REPUBLIC OF KOREA “ NETHERLANDS !ITALY

™ UNITED ARAB EMIRATES •: REPUBLICOF KOREA 5 SWEDEN“ SYRIAN ARAB REPUBLIC ” SYRIAN ARAB REPUBLIC — CZECH REPUBLIC

Serve* Slate Resronte£ tw n«t (Aliv«-$SL) 13810nt»«* ־1€ 48 147 001 £ lml5+1S»-11065.a«vwd» (Alive-SSL) 106Nh*£ 218152.121 184:8080 (Alive-SSL) 12259ns£ 95.211.152.218:3128 (Alive-SSL) 11185ns£ 95.110.159.54:3080 (Alive-SSL) 13401ns£ 9156129 24 8)80 (Alive-SSL) 11&D2ns

u>4 gpj 1133aneunc co (Alive-SSL) 11610mpjf dsd»cr/2'20Jcvonfcrc com: (.*Jive-SSL) 15331ns

91.144.44.86:3128 (Alive-SSL) 11271ns£ 11259ns (Alive-SSL.) נ80&:91.144.44.8$

11977ns (Alive-SSL) ר־ :92.62.225.13080

Proxy Scanner ־♦ N#w (?195)

H \y Aicnymouo (0)I••••©׳ SSL (0)

| fc?Bte(0)B ~ # Dead (1857)

=••••{2' Permanently 16844] Basic Anonymity (162)

| ^ Private (1) j - &־ Dangerous \696) h &־ My Proxy Servers (0J - 5 ProocySwtcher (0) ׳{־

Cancel

V

Keep Ali/e Auto Swtcf־DsajleJ

108 21.5969:18221 tested 09 (Deod) becousc ccrreoon bmed out 2 ' 3.86.4.103.80 tested as [Deod] because connection lifted 0U 123.30.188.46:2214 tested as [Dead] Decause ccnrecaon tuned out. 68 134253.197 5563tested as [Dead] because connection •jmed out.

F IG U R E 1210: C lic k o n S ta rt button

1 5 . C l i c k Basic Anonymity i n d ie r i g h t p a n e l ; i t s h o w s a l i s t o f d o w n lo a d e d

p r o x y s e rv e rs .

W h e n P ro x y S w itch e r is ru n n in g in K u fh A U ve

m o d e it trie s to m a in ta in w o rk in g p ro x y se rve r co n n e c tio n b y s w itch in g to d iffe re n t p ro x y se rve r i f cu rre n t d ies

W h e n a c tiv e p ro x y se rve r b ecom es in access ib le P ro x y S w itch e r w ill p ick d iffe re n t se rve r fro m P ro x y S w itc h e r c a te g o ry I f th e a c tiv e p ro x y se rve r is cu rre n tly a l i v e th e b ack g ro u n d w ill b e g reen




| _ ; o ^Proxy Switcher Unregistered ( Direct Connection)

KFile Edit Actions View Help

& s► □ x I a a ag? Proxy Scanner Server State RespxKe Countiy

j ~ # New (853) , f 91 14444 65 3128 (Alve-SSU 10160ns — SvRAfi ARAB REPUBIB &־ Anonymous (0) <f 119252.170.34:80.. (Aive-SSU 59/2rre INDONESIA

h & SSL(0) , f 114110*4.353128 (Alve-SSL) 10705ns ^ INDONESIABte(0) f 41 164.142.154:3123 (Alve-SSU 12035ns ►)E SOUTH AFRICA

«־■ -& Dead (2872) ,f 2כי149101 10? 3128 Alve 11206ns m BRAZILFemanently (6925) , f 2D3 66 4* 28C Alvo 10635n• H iTA IV /AM

1513 ■ י'‘... >>" 1 ־"׳ , f 203 254 223 54 8080 (Alve-SSL) 11037ns REPUBLIC OF KOREA\— Pnvale (16) <f 200253146.5 8080 Alve 10790ns pg BRAZIL;—£5 Danoerous (696) <f 199231 211 1078080 (Alve-SSU 10974m\ & My Proxy Sorvoro (0) , f 1376315.61:3128 (Alve-SSU 10892m gq brazil

־■- ProxySwltcher (0) i f 136233.112.23128 (Alve-SSU 11115ns ס נ brazil< 1 ■1

Caned

Keep Alive AUd Swtd־Cis^bled

177 38.179.26 80 tested as [Alwe! 17738.179.26:80 tested as [(Aive-SSU] 119252.170.34:80 tested a< (Alive]119252.170.34.80 tested as [(Alive-SSL)]

33/32ISilli& SSitSiSkF IG U R E 1211: Se lecting dow nloaded P ro x y server from B as ic A n o n ym ity

1 6 . S e le c t o n e Proxy server IP address f r o m r i g h t p a n e l t o s w ic h d ie s e le c te d

p r o x y s e r v e r , a n d c l i c k d ie ic o n .fTJ

f l i ta (3 P ro x y S w itc h e r U n re g is te re d ( D ire c t C o n n e c tio n ) 1 ~ l~a ! *

File Edit ,Actions View Help

3 ׳# □ n [ a a. a a if j \ 2 \ y A Li s | /י | Proxy S«rvera | X j

State He> ponte Lointiy(Alve-SSU 10159ms “ SYRIAN ARAB REPUBLIC(Alve-SSL m־5 131 [ J HONG KONG(Alve-SSU 10154TBS 1 | ITALY

Alh/e 10436ns REPUBLIC OF IQOREA(Alve-SSU 13556ns ;-S W E D E N(Alve-SSL:• n123me 1 ITALY(Alve-SSU 10741ns(Alve-SSU 10233ns ------NETHERLANDS(Alve-SSU 10955ns REPUBLIC OF KOREA(Alve-SSL) 11251m “ HUNGARY(Alve-SSU 10931ns ^ ^ IR A C(AlveSSU 15810ns S3£5 KENYA(Alve-SSU 10154ns “ SYR AN ARAB REPUBLIC

Server91.14444.65:3123 ,f

f 001.147.48.1 U.ctabcrct., 95.aemef.&־ל 1־?, lx>stS4159

218.152.121.184:3030 ,f

95.110159.5450803 i.5 6 .2 ..(:S.2-i.8GS־

i f 95.211152.218:3123 f u54jpj1135aTTSjno coJcr:• , f 91.82.65.173:8080 <f 86.1111A4.T94.3123

$ 4ד .89.130.23128,f 9ו 14444 86 3123

£5 Px»y Scanner (766) New ל * •••J

(0) rtgh Anonymous <0)SSL&(0)01 B1te־־;(2381) Dead & } ־ :

(6925) Pemanently..........'467) Basic Anonymity

(116 ate׳ Pn ־ &h ־ Dangerous (696׳! ־ &j

(0) Proxy Ser/ere ־&r (0) ProxySvtitcher—:

Ctaeblcd [[ Koep Alive ][ Auto Swtch |

P׳־

218 152. 121.I84:8030tested as ((Alve-SSL:]218.152.121.184:8030 tested as [Alive]ha*»54-159-l 10-95 senieriedieati amba it 8080te**d » (׳Alve-SSL)] 031.147.48.1 K>.«atb.net/ig3tor.com:3123 teatsd 05 [(ASve SSL)]

F IG U R E 1 2 1 2 Se lecting the p rox y server

1 7 . T h e s e le c te d proxy server w i l l c o n n e c t , a n d i t w i l l s h o w d ie f o l l o w i n g

c o n n e c t i o n ic o n .

£z־ When running in A u t o S w i t c h mode Proxy S w itcher w ill sw itch active proxy servers regularly. Sw itch ing period can be set w ith a s lide r from 5 m inutes to 10 seconds

^ In a d d itio n to stan d ard ad d / re m o ve / e d it fu n c tio n s p ro x y m anager co n ta in s fu n c tio n s u se fu l fo r an o n ym o u s su rfin g and p ro x y a v a ila b ility te s tin g




Proxy Switcher Unregistered ( Active Proxy: 95.110.159.54:8030 ־ ITALY) I ~ l ם f xp F ikFile Edit Actions View Help

$5 Proxy Scanner Serve! State Response ComtiyH * New !766) ^91 .14444 65:3123 (Alve-SSU 10159ms “ SYR AN ARAB REPUBLIC

Ugh Anonymous (0) 001.147.48. ilS.etatic .re t.. (Alve-SSU 13115n* [ J HONG KONG• g t SSL(O) , ? host54-159-110-95.server.. (Alve-SSU 10154ns | |ITALYH 2? a te (0» & 218.152.121.1(4:3080 Alive 10436ms > : REPJBLIC OF KOREA

B - R Dead (2381) , f dedserr2i23Jevonlme to n (Alve-SSU 13556ms ■■SWEDENP»m*n#ntly (G975) L 95 110159 54 8080 (Alve-SSU 11123™• I ITAtr

• fy .״003 Anonymity (4G7) (Alve-SSU 10740ms UNI ILL) ARAD CMIRATCSPnvate (16) , ? 95 211 152 21( 3128 (Alve-SSU 10233ms “ NETHERLANDS

| 0 ׳Dangerous (6961 ־־ u54aDJl133a׳r»unfl,co.kr:l (Alve-SSU 10955ms REP JBLIC OF KOREAl״ & My Proxy Servere (0) , f 91 82 £5 173:8080 (AlveSSU 1l251r»a “ HUNGARY

:—ProxySviitcha 25־ (0) g 86.111 144.194.3128 (Alve-SSU 10931ms “ IRAG, ? 41.89.130^3128 (Alve-SSU 158101s g g K E N rA£ 91 14444 86 3123 (Alve-SSU 10154ns “ SYRIAN ARAB REPUBLIC

< I ״י

Dsebicd 11 Keep Alive | [" Auto Switch

2l8.152.121.1&4:8030tested as [fAlve-SSL!218.152.121.184:8030tested as (Alive]host54-159-110-95 9»rverdedicati arnba 8080 ג tested as RAIve-SSL)] 031.147.48.116.atotc.nctvigator.con>:3123tested09 [(Mrvc SSL))

M LEauc Anonymity

F IG U R E 1213: Su ccesfiil co nnection o f selected p roxy

1 8 . G o t o a web browser ( F i r e f o x ) , a n d t y p e d ie f o l l o w i n g U R L

h t t p : / / w ^ v . p r o x y s w i t c h e r , c o m / c h e c L p h p t o c h e c k d ie s e le c te d p r o x y

s e r v e r c o m ie t i v i t y ; i f i t is s u c c e s s fu l ly c o n n c t e d , t h e n i t s h o w 's d i e f o l l o w i n g

f ig u r e .

r 1 ־0 Cx 1Detecting your location M07illa Firefox3 ? £ri!t ¥"■'״' History BookmorH Iool*• Jjdp

C *‘I Go®,I. f i f !

0*r»<ring your kxatkm..

IUU-..J.UU,I.- ־4

2 02 .53 .11 .130 , 192 .168 .1 .1

U nknow nYour possible IP address is:

Location:

Proxy Information

Proxy Server: DFTFCTFD

Proxy IP: 95.110.159.67

Proxy Country: Unknown

F IG U R E 1214: D etected P ro x y server

1 9 . O p e n a n o t h e r ta b i n d ie web browser, a n d s u r f a n o n y m o s ly u s in g d i is

p r o x y .

£□ Starting from version 3.0 Proxy S w itcher incorporates internal proxy server. It is useful when you w an t to use other applications (besides In ternet Explorer) tha t support HTTP proxy v ia Proxy Sw itcher. By defau lt it w a its fo r connections on localhost:3128




proxy server Cerca con Google - Mozilla Fiiefox

rlc Edit yie* Histoiy Bookmark: Tools Udp| pray ic־.« - C e r a con GoogleOttecbngyour location..

P *C ־ Gccgie^ <9 wvwv gcogk.it ?hbft&g5_nf=1&pq-proxy 5wt*cr&cp^ 0&g?_<l-22t51.1t>f-taq-pro>fy־»scrvcr&pt-p8b1»-

*Tu Ricerca Immagini Maps Play YouTube Mews Gmail Document! Calendar Utao

proxy server

Proxy Wikipodiait. wkj ped1a.org/tv1k1• PioxyIn informatica e telecomunicaôw un proxy 6 un programma che si mleipone tra un client ed un server farendo da trainee o neerfaccia tra 1 due host owero ...Alt/i usi del termrne Proxy Pioxy HTTP Note Voo correlate

Public Proxy Servers - Free Proxy Server Listivwiv publicpfoxyserveis conV Tiacua questa paginaPublic Proxy Server* is a free and *!dependent proxy checking system. Our service helps you to protect your Ktently and bypass surfing restrictions since 2002.Proxy Servers - Sored By Rating - Proxy Servers Sorted By Country - Useful Links

Proxy Server - Pest Secure, rree. Online Proxywvwproxyserver com׳' • Traduci questa pagmaTho boet fin״ Pioxy Sarvef out there* Slop soar chin g a proxy list for pioxies that are never fa»1 or do noi even get onl«1e Proxy Server com has you covered from ...

Proxoit - Cuida alia naviaazione anonima I proxy server

G o o g le

Ricerca

Immagin■

Maps

Video

NooseShopping

Ptu contanuti

ItaHaCamtm localit.l

0 3 A fte r the anonym ous p rox y servers have becom e availab le fo r sw itch in g you can activate an y one to becom e in v isib le fo r the sites yo u v isit.

F IG U R E 1214: S u rf using P ro x y server

L a b A n a l y s i s

D o c u m e n t a l l d i e IP addresses o f live (SSL) proxy servers a n d t h e c o n n e c t i v i t y

y o u d is c o v e r e d d u r i n g d ie la b .


P r o x y S w i t c h e r

S e r v e r : L i s t o f a v a i la b le P r o x y s e r v e r s

S e l e c t e d P r o x y S e r v e r I P A d d r e s s : 9 5 . 1 1 0 . 1 5 9 . 5 4

S e l e c t e d P r o x y C o u n t r y N a m e : I T A L Y

R e s u l t e d P r o x y s e r v e r I P A d d r e s s : 9 5 . 1 1 0 . 1 5 9 . 6 7

P L E A S E T A L K T O Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S

R E L A T E D T O T H I S L A B .

Q u e s t i o n s

1. E x a m in e w h i c h te c h n o lo g ie s a re u s e d f o r P r o x y S w it c h e r .

2 . E v a lu a t e w h y P r o x y S w i t c h e r is n o t o p e n s o u rc e .





e s0 Y


0 C l a s s r o o m

□ N o

□ iL a b s




Labw

i1 3

Daisy Chaining using Proxy W orkbenchProxy Workbench is a unique p/vxy server, ideal for developers, security experts, and twiners, which displays data in real time.


Y o u h a v e le a r n e d i n d i e p r e v i o u s l a b h o w t o hide your ac tua l IP u s in g a P r o x y

S w i t c h e r a n d b r o w s e a n o n y m o u s ly . S i m i l a r l y a n a t t a c k e r w i t h m a l i c i o u s i n t e n t

c a n p o s e a s s o m e o n e e ls e u s in g a p r o x y s e r v e r a n d g a t h e r i n f o r m a t i o n l i k e

a c c o u n t o r b a n k d e t a i l s o f a n i n d i v i d u a l b y p e r f o r m i n g soc ia l eng ineering. O n c e a t t a c k e r g a in s r e le v a n t i n f o r m a t i o n h e o r s h e c a n h a c k i n t o t h a t

i n d i v i d u a l ’ s b a n k a c c o u n t f o r o n l i n e s h o p p in g . A t t a c k e r s s o m e t im e s u s e

m u l t i p l e p r o x y s e r v e r s f o r s c a n n in g a n d a t t a c k in g , m a k in g i t v e r y d i f f i c u l t f o r

a d m in i s t r a t o r s t o t r a c e d i e r e a l s o u r c e o f a t t a c k s .

A s a n a d m i n i s t r a t o r y o u s h o u ld b e a b le t o p r e v e n t s u c h a t t a c k s b y d e p lo y i n g a n

i n t r u s i o n d e t e c t i o n s y s te m w i t h w h i c h y o u c a n c o l l e c t n e t w o r k i n f o r m a t i o n f o r

a n a ly s is t o d e t e r m in e i f a n a t t a c k o r i n t r u s i o n h a s o c c u r r e d . Y o u c a n a ls o u s e

Proxy W orkbench t o u n d e r s t a n d h o w n e t w o r k s a r e s c a n n e d .


T h i s l a b w i l l s h o w y o u h o w n e t w o r k s c a n b e s c a n n e d a n d h o w t o u s e P r o x y

W o r k b e n c h . I t w i l l t e a c h y o u h o w t o :

■ U s e t h e P r o x y W o r k b e n c h t o o l

■ D a i s y c h a in t h e W ’i n d o w s H o s t M a c h i n e a n d V i r t u a l M a c h in e s


T o c a r r y o u t t h e la b , y o u n e e d :

■ P r o x y W o r k b e n c h is lo c a t e d a t D:\CEH-Tools\CEHv8 Module 03 Scanning Networks\Proxy Tools\Proxy W orkbench

I C O N K E Y

2־ 3 V a lu a b le

in f o r m a t io n

T e s t y o u r

k n o w le d g e

ס W e b e x e rc is e

m W o r k b o o k r e v ie w




Y o u c a n a ls o d o w n l o a d t h e la t e s t v e r s io n o f P r o x y W o r k b e n c h f r o m

t h i s l i n k h ttp ://p roxyw o rkbench .com

I f y o u d e c id e t o d o w n l o a d t h e l a t e s t v e r s io n , t h e n s c r e e n s h o t s s h o w n i n


A c o m p u t e r r u n n i n g W indows Server 2012 as a t t a c k e r ( h o s t m a c h in e )

A n o t h e r c o m p u t e r r u n n i n g W indow Server 2008, and W indows 7 as

v i c t i m ( v i r t u a l m a c h in e )

A w e b b r o w s e r w i t h I n t e r n e t a c c e s s

F o l l o w W iz a r d - d r i v e n in s t a l l a t i o n s te p s t o in s t a l l Proxy W orkbench

A d m in i s t r a t i v e p r iv i le g e s t o r u n t o o ls



O v e r v i e w o f P r o x y W o r k b e n c h

P r o x y W o r k b e n c h is a p r o x y s e r v e r t h a t d is p la y s i t s d a ta i n r e a l t im e . T h e d a ta

f l o w i n g b e t w e e n w e b b r o w s e r a n d w e b s e r v e r e v e n a n a ly z e s F T P i n p a s s iv e a n d

a c t iv e m o d e s .

L a b T a s k s

I n s t a l l P r o x y W o r k b e n c h o n a l l p l a t f o r m s o f d ie W i n d o w s o p e r a t in g s y s te m

W׳ indows Server 2012. W indows Server 2008. a n d W indows 7)

P r o x y W o r k b e n c h is l o c a t e d a t D:\CEH-Tools\CEHv8 M odule 03 Scanning N etw orks \P roxy Too ls\P roxy W orkbench

Y o u c a n a ls o d o w n l o a d t h e la t e s t v e r s io n o f Proxy W orkbench f r o m

t h i s l i n k h t t p : / / p r o x y w o r k b e n c h . c o m

F o l l o w t h e w i z a r d - d r i v e n i n s t a l l a t i o n s te p s a n d i n s t a l l i t i n a l l p l a t f o r m s

o f W indows opera ting system

T h i s la b w i l l w o r k i n t h e C E F I la b e n v i r o n m e n t - o n W indow s Server 2012, W indow s Server 2008 a י n d W indow s 7

O p e n F i r e f o x b r o w s e r i n y o u r W indows Server 2012, a n d g o t o Tools a n d c l i c k op tions

C E H Lab M anual Page 212 Eth ica l Hacking and Countermeasures Copyright O by EC •CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited.

C Security: Proxy \servers provide alevel o f securityw ith in a -netw ork. Theycan help prevent רsecurity a ttacksas the only wayin to the ne tw ork 4.from the In ternetis via the proxy _server

6.

ZZ7 Tools dem onstrated in th is lab are available in D:\CEH- Tools\CEHv8 Module 03 Scanning Networks

http://proxyworkbench.com

http://proxyworkbench.com


Google Moiillo Fitefox

fi *e •!1• -■cc9u

Documents Calendar Mote •

Sign n

colt | HtJp

Qownloatfs CW-I

moderns c m * v A*»״

S<* UpS^K.

Web Developer

Page Info

י9 ה י ז 5»ז1£ו1ז(»*6״

Cle«r Recent U stsr. Cl1+“ Sh1ft*IW

♦You Search Images

G o o g le

Gocgie Search I'm feeling Lucky

•Google Aboul Google Google comAtfM«t1«M1g Piogammei Bumoeti SolUion* Piracy t Te

F IG U R E 13.1: F ire fo x options tab

7 . G o t o Advanced p r o f i l e i n d ie Options w iz a r d o f F i r e f o x , a n d s e le c t d ie

N etw ork t a b , a n d d i e n c l i c k Settings.

Options

ם & §י % p 3General Tabs Content Applications Privacy Security S>nc Advanced

| S g tn g i.

Clear Now

Clear Nov/

Exceptions..

General | MetworV j Update | Encryption j Connection

Configure h o * h re fo i connects to the Internet

Cached Web Content

Your web content cache 5י currently using 8.7 M B of disk space

I I Override automate cache management

Limit cache to | 1024-9] MB of space

Offline Web Content and User Data

You 1 application cache is c j i ie n t l / using 0 bytes of disk space

M Tell me when a wefccite aclrt to store data for offline uce

The following websites are a lowed to store data for offline use

Bar eve..

HelpCancelOK

F IG U R E 13.2 F ire fo x N e tw o rk Settings

f t T h e so cke ts p an e l sh ow s th e n u m b er o f A liv e so ck e t co n n ec tio n s th a t P ro x y W o rk b e n ch is m anag ing . D u rin g p erio d s o f n o a c tiv ity th is w ill d ro p b a ck to ze ro S e le c t




8. C h e c k Manual proxy configuration 111 t h e Connection Settings w iz a r d .

9 . T y p e HTTP Proxy as 127.0.0.1 a n d e n t e r d ie p o r t v a lu e as a י8080 n d c h e c k

d ie o p t i o n o f Use th is proxy server fo r a ll protocols, a n d c l i c k OK.

Connection Settings

Configure Proxies to Access the Internet

8080—

8080y |

8 0 8 0 v

Port

Port

Port

PorJ:

O No prox^

O Auto-detect proxy settings for this network

O ii** system proxy settings

(§) Manual proxy configuration:

HTTP Proxy: 127.0.0.1

@ Use this proxy server for all protocols

SSL Proxy: 127.0.0.1

£TP Proxy: 127.0.0.1

SO£KS H ost 127.0.0.1

D SOCKS v4 (S) SOCKS 5

No Proxy fo r localhost, 127.0.0.1

Example .mozilla.org, .net.nz, 192.168.1.0/24

O Automatic proxy configuration URL

Rgload

HelpCancelOK

F IG U R E 13.3: F ire fo x C o n n ection Settings

1 0 . W h i l e c o n f i g u r i n g , i f y o u e n c o u n t e r a n y port e rror please ignore it

1 1 . L a u n c h t h e S ta rt m e n u b y h o v e r i n g d i e m o u s e c u r s o r i n t h e l o w e r - l e f t

c o r n e r o f t h e d e s k t o p .

4 Windows Server 2012

Waoom W1P iW 2 taene Cjickttr 0 H iK tT rbaLMcn cow tuid MO.

g. - ?•F IG U R E 13.4: W in d o w s Se rve r 2012 - D esk to p v iew

1 2 . C l i c k d ie Proxy W orkbench a p p t o o p e n d ie Proxy W orkbench w i n d o w

S The s ta tus bar shows the deta ils o f Proxy Workbench*s ac tiv ity . The firs t panel displays the amount o f data Proxy Workbench curren tly has in memory. The actua l amount of memory tha t Proxy Workbench is consum ing is generally much more than th is due to overhead in managing it.

S can co m p u te rs b y IP ran g e, b y d o m a in , s ing le co m p u te rs , o r co m p u te rs, d e fin e d b y th e G lo b a l N e tw o rk In v e n to ry h o st file




ServerManager

WindowsPowerShell

GoogleChrome

Hyper-VManager

Fa m • י וControlPand

W

HyperV Virtual Machine ״

SO I Server

£CommandPrompt

MO? 113 Firefox

Searct101_

H O

Detkc

dobaiNetworkInventory

S i

ProxyWoricbenu.

F IG U R E 13.5: W in d o w s Server 2012 - A p p s

1 3 . T h e Proxy W orkbench m a in w i n d o w a p p e a r s as s h o w n i n d ie f o l l o w i n g

f ig u r e .

H IProxy Workbench

mFile V iew Tools Help

ם ועבש_

K N JH mDetails for All Activity

1 Protocol | StartedToFrom173.194.36.24:80 (www g . HTTP 18:23:39.3^74.125.31.106:80 (p5 4ao HTTP 18:23:59.0־173.194 36 21:443 (maig HTTP 18:24:50.6(173.194.36.21 M 2 (m aig . HTTP 18:24:59.8'173.194.36 21:443 (maig.. HTTP 18:25:08.9־K ־173 M TC. 71 •An (m־d ״ H T T P____ 1 fi־jR -1 fir

JJ127.0.0.1:51199 127.0.0.1:51201

J l l 127.0.0.1:51203 J d 127.0.0.1:51205 J d 127.0.0.1:51207W 'l ! ? 7 n n ו1 ^ ו ל ו

Monitorirg: WIND33MR5HL9E4 (10.0.0.7)

SMTP • Outgoing e-mal (25)^ POP3 • Incoming e-mail (110)& HTTP Proxji • Web (80B0)

HTTPS Proxy • SecureWeb (443)^ FTP • File T!ansfer Protocol (21)

Pass Through ■ For Testing Apps (1000)

3eal time data for All Activity

J

000032 /I . 1. .User—Agent 2f 31 2e 31 Od 0 A SS 73000048 : Mozilla/5.0 (¥ 3a 20 4d S i 7a 69 6c 6c000064 indows NT 6.2; V 69 6e 64 6 £ 77 73 20 4e000080 OU64; rv:14.0) G 4 f 57 36 34 3b 20 72 76000096 ecko/20100101 Fi 65 63 6b 6f 2f 32 30 31000112 refox/14.0.1..Pr ?2 b5 66 6f 78 2f 31 34000128 oxy-Connection: 6f 73 79 2d 43 6f 60 6e000144 koop-alivo. Host 6b 65 65 70 2d 61 6c 69000160 : mail.google.co 3a 20 6d 61 69 6c 2e 67 ,000176 m . . . . 6d Od Qa Od 0a< III >

7angwrrx?n— Luyymy. un ; 1.un ; 1 iciu ic . un ; 11Memory: 95 KByte Sockets: 1 CO Events: 754

F IG U R E 13.6: P ro x v W o rk b en ch m ain w in d o w

1 4 . G o t o Tools o n d ie t o o lb a r , a n d s e le c t Configure Ports

S T h e even ts p an e l d isp lays th e to ta l n u m b er o f e ve n ts th a t P ro x y W o rk b e n ch has in m em o ry. B y c le a rin g th e d a ta (F ile ־ > C le a r A ll D a ta ) th is w ill d ecrease to ze ro i f th e re a re n o co n n ec tio n s th a t are A liv e

& The last panel d isplays the current tim e as reported by your operating system




Proxy Workbench

U- 3LôolsJ Help

Save Data...

=tails for All Activity m n ih m|10m | T 0 I Protocol | Started ^

Configure Ports.

173.194.36.24:80 (w»w*.g.. HTTP 18:23:39.3}74.125.31.106:80 |pt 4ao HTTP 18:23:59.0־173.194 36.21:443 (naig. HTTP 18:24:50.6(173.194 36.21:443 (na*g HTTP 18:24:59.8'173.194 36 21:443 (naig HTTP 18:25:08.9־

17׳n *־c ול־ ״*n ו*י׳ו « HTTP ■ m -w ip r

127.0.0.1 J127.0.0.1 tJ

127.0.0.1 3d127.0.0.1 J£127.0.0.1 jd;

R19115־-l1?7nn1>

File View I

5

Monitoring: W

All Activity

5119951201

512035120551207

Failure Simulation...

^ SMTF Real Time 9 ־י099יח •

POPd Options...k # HTTP T־־TWny TTWU(WW) ^ HTTPS Proxy • Secure Web |443)^ FTP • File T ransler Protocol (21)

Pass Through ■ For Testing Apps (1000)

Real time data for All Activity

0a 55 73 69 6c 6c ?3 20 4e 20 72 76 32 30 31 2f 31 34 6f 6e 6e 61 6c 69 6c 2e 67

31 Od 6f 7a 6f 77 34 3b 6£ 2f 6£ 78 2d 43 70 2d 61 69 Od 0a

2f 31 2e 3a 20 4d 69 be 64 4f 57 36 65 b3 6b 72 65 66 6f ?8 79 6b b5 65 3a 20 6d 6d Od 0a

/ l.1..User-Agent : Mozilla/5.0 (W indows NT 6.2; U OU64; rv :14.0) G ecko/20100101 Fi refox/14.0.1. Pr oxy-Connection: keep-alive..Host : mail.google.co m. . . .

000032000048000064000080000096000112000128000144000160000176

I eiiim a ic UII 11c1u4c. uu unuuic u i i L׳«ty1c un 1_<.yymy. un ׳ j u iMemory: 95 KByte Sockets: 100 Events: 754

F IG U R E 13.7: P ro x y W o rkb en ch C o n F IG U R E Po rts op tion

1 5 . 111 d ie Configure Proxy W orkbench w iz a r d , s e le c t 8080 HTTP Proxy - Webi i i d i e l e f t p a n e o f Ports to lis ten on.

1 6 . C h e c k HTTP 111 d i e l i g h t p a n e o f p r o t o c o l a s s ig n e d t o p o r t 8 0 8 0 , a n d c l i c k

Configure HTTP fo r port 8080

Configure Proxy Workbench

Protocol assigned to port 8080

Proxy Ports

Ports to listen on:

Don't use>> ;✓ ■ :

Pass Through □ HTTPS

□ POP3 FTP ח

Port [ Description25u n

SMTP • Outgoing e-mailPHP3 - lnnnmino ft-maiI

18080 HTTP Proxy ■Web443 HTTPS Proxy ־ Secure Web21 FTP ־ File Transfer Protocol1000 Pass Through ■ Foe Testing Apps

& d d - | Qetete | | Configure H T T P tor poet 8080. |

CloseW Sho^ this screen at startup

F IG U R E 13.8: P ro s y W o rkb en ch C o n fig u rin g H T T P fo r P o rt 8080

1 7 . T h e HTTP Properties w i n d o w a p p e a r s . N o w c h e c k Connect via another proxy, e n te r y o u r W indows Server 2003 v i r t u a l m a c h in e I P a d d re s s i n

Proxy Server, a n d e n te r 8080 i n P o r t a n d d i e n c l i c k OK

& The *Show the real tim e data w indow ' a llows the user to specify w hether the real-tim e data pane should be displayed o r not

C Ll P e o p le w h o b e n e fit fro m P ro x y W o rk b e n ch

Home users who have taken the first step in understanding the Internet and are starting to ask "Bat how does it work?”

People who are curious about how their web browser, email client or FTP client communicates w ith the Internet.

People who are concerned about malicious programs sending sensitive information out in to the Internet. The information that programs are sending can be readily identified.

Internet software developers who are writing programs to existing protocols. Software development for die Internet is often verv complex especially when a program is not properly adhering to a protocol. Proxy Workbench allows developers to instantly identify protocol problems.

Internet software developers who are creating new protocols and developing the eluent and server software simultaneously. Proxy Workbench w ill help identify non-compliant protocol

: - T-1- ■>

Internet Security experts will benefit from seeing the data flowing in real-time This wiH help them see who is doing what and when




^ M a n y p e o p le u n d e rstan d so cke ts m u ch b e tte r th e n th e y th in k . W h e n yo u s u rf th e w e b an d go to a w e b s ite ca lle d w w w a lta v is ta .co m , y o u are a c tu a lly d ire c tin g y o u r w e b b ro w se r to o p en a so cke t co n n e c tio n to th e se rve r ca lled" w w w .a lta v ia ta .co m " w ith p o rt n u m b er 80

F IG U R E 13.9: P ro s y W o rkb en ch H T T P fo r P o rt 8080

1 8 . C l i c k Close i n d ie Configure Proxy W orkbench w iz a r d a f t e r c o m p le t i n g d ie

configuration settings

T h e re a l tim e log g in g a llo w s yo u to re co rd e ve ry th in g P ro x y W o rk b e n ch d oes to a tex t file . T h is a llo w s th e in fo rm a tio n to be re ad ily im p o rte d in a sp read sh eet o r d atab ase so th a t th e m o st ad van ced an a lys is can b e p e rfo rm e d o n th e data

1 9 . R e p e a t d ie c o n f i g u r a t i o n s te p s o f P r o x y W o r k b e n c h f r o m Step 1 1 to Step 1 5 i n W in d o w s S e r v e r 2 0 0 8 V i r t u a l M a c h in e s .

Configure Proxy Workbench

Protocol assigned to port 8080

□ < Don't use>____________

□ Pass Through□ HTTPS□ POP3

Configure HTTP for port 8080

Proxy Ports

3orts to listen on:

Port | DescriptionSMTP • Outgoing e-mail POP3 ־ Incoming e-mail

HTTPS Proxy-Secure Web FTP ־ File Transfer Protocol

deleteAdd

Close

251108080 HTTP Proxy - Web443211000 Pass Through - For T esting Apps □ F T P

W Show this screen at startup

F IG U R E 13.10: P ro x v W o rkb en ch C o n fig u red p roxy

HTTP Properties

General

C On the web server, connect to port:

(• Connect via another proxy

Proxy server |10.0.0.7|

Port: Iftfififi

CancelOK



http://www.altaviata.com


2 0 . 111 W indows Server 2008 t y p e d ie I P a d d re s s o f W in d o w s 7 V i r t u a l

M a c h in e .

2 1 . O p e n a Firefox b r o w s e r i n W indows Server 2008 a n d b r o w s e w e b p a g e s .

2 2 . P r o x y W o r k b e n c h G e n e r a te s d i e t r a f f i c w i l l b e g e n e r a te d a s s h o w n i n d ie

f o l l o w i n g f ig u r e o f W indows Server 2008

2 3 . C h e c k d ie To C o lu m n ; i t is f o r w a r d i n g d ie t r a f f i c t o 10.0.0.3 ( W in d o w s

S e r v e r 2 0 0 8 v i r t u a l M a c h in e ) .

Mcnfanj MN1r2CiU ׳;־.43110 0 0 2|

A ־=-׳•»־־ U KCV9►*. ■ * 1 5 7 * « V13r>M4ca1facc tWJ> ?׳•>״ SfwAcwirw* 1556*׳*r» 9 rM 0 (a < rM ו . מ נ 'V**►—* 1191 * ״■'— •*«*►•*(»׳•< 2110

IV*3(95IVJ3J41

; v » » . < * < * 1 1 9 9 . * ״ inh■■ <»(a a 1»1•״ ׳

PAthtf<ka»Mcc••י• »-•׳»(*-.«►FV»9hn<*co<na<t

06.K2S.31T06 052? סט

06 052C 92? 06®274B

מ ? *052 06utre^rwKKrTK052CTO «®27ug 06052706 Krez'S) acr.rte 06 052:7 W> HB700;05יי«י»0 6 » 2 7 »0e « 2? 5ae06052»»l

1T\CV*3hM41«x>«dt 1120

06052*173sauszst£ SIS :4?

06 052• 3י5

«105זמ.גג43&25 05»

« 052*100 «05 261E ®0526217 K.W263Kte«it *1 « 05 26 IK tiiir, :1 iw. (6 05 26 734 nn:119,

«0$27נ«(*0127 104»0J2n0114,0127 ;71 m <k 27 411 (6 052743( C60127M•(6 05 27 597 (6052702

££05נ7ט306 05275S7

wMuon144a laccc *0010041 laaaixzo 1000 )»# Mtaiaon 1444 ]•cto10011 )**a14441400 *00 )•CM 14441«cm 1404 HCW 1400 )■IB 144a IKM 1400 )•CM 144a m e 1444 ItOM 140a1«:w 144 a 1 ta t1000 )acta1444 laQHl 144a 14CM lOOQlKW

0ל7vr.u ׳ 1> י- *liraנ^י1*f J•' *J י־ 1J נ- il »־: u»־.

41• •I.. < 1 י <1 נ 11• ■ י 11 נ־:. *.U • 1 נ

1—2

| £4AOT*!>^ SHIP 0.*!>> ן ו\«*>«׳1מ 1 CQC•) ■l ff»-0 r»IH1(l I.(flf f:iilffllW'/tilHIUII

y HT IR F W - S.oi» W.6 (4431 6 FIP Hori^ra *<X0:d|71)V p*m (110*i!-f« r»»nj A«c*no301

Sf <420 «( 30 II

31 ro 0נ 4c (1 7i ?2 W 2c32 3d 3» (3 U K 3d 41 »7 (3 74 (145 M H

31 30 32 20 •0 41 ;4 u

>> 20 38 640? 10 30 04 Qo 13 tl

20 «d 61 7ab I «m Cm ?.(

4c 61 6י 7*

20 10 30 78 70 63 4d £1 72 39 30 47

66 6י 6574 20 32 47 I J 64 t l Ic 3a Od 0 . M ל0 4345

31 0M4S 1 •0 17 34 a n« 45 26 a0M&4 Extern Sot10 [CSC «::>*€1112)10 0 w *>:

3C 000160 0174 00 ׳[141»t 0׳1?2

52 00 S . . : : i la ir 1u . - 1u 4י

0 23 .t t i r t F r i c» 2*1 י '.0 10 <4

3 n :*dta-Caat> 0«3:>o: .ji-age

F IG U R E 13.11: P ro x y W o ik b e n ch G enerated T ra ffic in W in d o w s Server 2012 H o s t M ach in e

2 4 . N o w l o g i n i n t o W indows Server 2008 V i r t u a l M a c h in e , a n d c h e c k d ie To c o lu m n ; i t is f o r w a r d i n g d ie t r a f f i c t o 10.0.0.7 ( W in d o w s 7 V i r t u a l

M a c h in e ) .

Fife View Tod* Hrip

M irilcrrfj וי•׳ hin i'iii/'l 3 |1000 3| !'*!41. 1 ׳ ■IT IF* F'1t»v • W<*b(>]CH])

d

fm■ 1 su w i1״ .•f 11 *!י׳ K^d¥)006«ff)ft 1000701 CO HTTP 061B33 750 0T) tB 40 !00 F£J10.00.6»10 1a0.a?;8D80 H IIP 06.05 40109 06tt»41156 KjtJ':a:fc3114 lQ0D7-mm HUP Q 3 B9U. (h 41 070׳>־0! 40 F£ J'].0 0.6 9015 1aoa7.83E0 HTTP 06.(E « 375 03 00.41.625 F£ J6 ; 0 : snt־ ו00 07שנט: HITP (£06 41437 0,0141 ms F£J10 0 0 6 9819 1Q0 07:83 EO HTTP 0606 *3 531 05 05 41 281 F£h!0a.6 9820 1ao.a?;83a1 HUP 06.05 « 546 06.0541.281 Fjh J'I 0 0.&9B22 1aoa7!ffiEa HUP 05<E 40 578 (E05 40Bt3 F£1100169824 1a0.a7:83EO HTTP 06:0=4:655 06 05:41.828 F£110 00 69826 1Q0a7:fflffl HTTP 06 05*3 906 (K OS 41 593 F£1100069828 1000.7:8303 HTTP 06<e 41015 06 05 41 406 F£1*100.6 9830 1a0.Q7.83EO HTTP 06.0C 41 *09 06 05 41 718 F£110 0 0 &9H32 mon7rmgo H1IP (KtR 41 TIB as 05 41 11 Fj*1 1 2J

$ AMr/M|y^ ,iM TP • Outguny ••fr«l(25|POP3 •lr«Mfiin3 0n»iir1C1Qwpnmamm■H 1QOQ2I0 1QQQ7

& mo 0.6 to 10 0.0 7HT1P5 Ro«v -Seojic Web(4431 "W FrP-Fielienifei Ftolord |211 • Nol Lit*

PdssThiojî F01 Tastroô*nOOOl fJ

a? פ

fted cMs Foi Hr TP Piceay • V/H3 |B0B]|20 S3 i l 74 31 20 30 30 3a ic 6 1 73 74 .?rf 7 2 b'3 2c 20 3230 31 .32 30 3י63 b0 65 2d ■43 2d 61 6? 65 3d 63 74 t ' ) bl 6• 65 Od 0o Od 0o

76 70 69 72 65 73 3a4d 61 72 20 32 30 3139 20 47 Id S4 0d 0466 69 6S 64 20 1674 20 32 30 30 39 2047 4d J J G« <3 616t 6c 30 20 fd 61 78Od 0 9 43 61 6« 60 6565 70 2d 61 (c ל6 69

SxpiroD Sot 26IUr 2011 00 G2<0 CUT hint. Nrd 11 t.wd. f t 1 . 23 0 c t 2009 20•10 04 GMT. . C»cho-Cont

roL max-oge-360 0. Connect ioa k oep-olivc

:1:064010080

־־09* ־06011200012C060144060160060176080192

T»1mnate 01( RcIlbc Qr 'hrb»f־ Cm ^ ׳! CK -oggrg 01( 613AM

6:15 AM

Mar a y 3ES KBylei

J Start | Proxy Worfctxfyh

A i L d

F IG U R E 13.12 P ro x y W o rkb en ch G enerated T ra ffic in W in d o w s Se rve r 2003 V irtu a l M ach in e

& Proxy W orkbench changes th is. Not only is it an awesom e proxy server, but you can see all o f the data flow ing through it, v isua lly display a socke t connection h is tory and save it to HTML

£ 7 A n d n o w , P ro x y W o rk b e n ch in c lu d e s co n n e c tio n fa ilu re s im u la tio n stra teg ies. W h a t th is m eans is th a t yo u can sim u la te a p o o r n e tw o rk , a s lo w In te rn e t o r u n re sp o n s ive se rve r. T h is is m akes it th e d e fin itiv e T C P a p p lica tio n tester




2 5 . S e le c t O n d ie w e b s e r v e r , c o n n e c t t o port 80 i n W indows 7 v i r t u a l m a c h in e ,

a n d c l i c k OK

-TTTP Properties

General |

(• On the *tcb server, connect to port:

C" Connect vb atoihcr proxy

Pro<y :erver: 110.0.0.5

Port: [fiflffi

OK i l C«r>cd

H I I t a llo w s yo u to 'see ' h o w yo u r e m a il c lie n t co m m u n ica te s w ith th e e m a il s e rve r, h o w w eb pages are d e liv e re d to yo u r b ro w se r an d w h y yo u r F T P c lie n t is n o t co n n ec tin g to its se rve r

F IG U R E 13.13: C o n fig u rin g H T T P p roperties in W in d o w s 7

2 6 . N o w C h e c k d ie t r a f f i c i n 10.0.0.7 ( W in d o w s 7 V i r t u a l M a c h in e ) “ TO” c o l u m n s h o w s t r a f f i c g e n e r a te d f i o m d ie d i f f e r e n t w e b s i te s b r o w s e d i n

W indows Server 2008

" Unix

הו7צ&ו

p i? w a » '*wts c«> »w W d iso

« > »: ® o 11 1► ;>■r * e VWur Toeli Help

DcUI1 taH TTPIW -W «b 180801 m i l ►From :י Pictocoi

I

U s E ^ r l 1 laslSUto B/*5 C25 1 BylesS*010.0 D 32237 <. 26E0 I1 :-.h גן. *.3 ד H UP 06:0634.627 06.05:35.436 FV»B ho? J'.ccrncc•... 1577 0)010 0 0 32239 •571SS22G.aK:£0|adi HTTP 0&£634643 0£<62«3 fVt'B hai d :c fr r« l 1555 0)8100032239 י7820612£«06«*>י * HTTP C6X634S66 06(636390 P*J»3 l « J i « r r « l . . . 1556 0;0100032240 * י9878206126*0*0« HTTP C6:(634$G6 06(635624 f*■״? hasdaxrrecJ... 1950 0)010 0 0 3 2241 1337320612!6c0|ic>*1t.. HTTP 06:C&34.336 060636624 FV>B bn dsO Tiw l״ 1131 0) 0 10 0 0 3 2242 2027921012140 (t*K 1 HTTP ££.0634 S£3 c e c & x 21e Km d : « r r « l 2110 050100032243 י57 iffi 2262(680|**» HTTP 06C636030 (6(636186 447S 0)010003 224( מ 56214311 lOtCImet71c . h i TP C6 (&.X.2l£ 060&355W FWB hat d n c rm l . 2710 0)010 0 0 3 2245 «» :01106 9517<ן>«&4ו HTTP 0fe» 35 4 » CM &XTtS ha* d iffrrw l 1572 112)9100032246 ־ , ׳ ־ • .-• 1 1 -:1 .| . : HI TP 06:0636483 (6 (C! 36 (66 ויי 0)010 cנ 22 0 0 '»ra2D512ew 0a*u HI IP 06C03CW3 (*(CJ&124 11« 0)610 0 0 3229 J0n>206120WI1«ht H UP 06.06 3U6U6 0606J6243 rv>V bm diwriK l... IA» 0) 0 10 0 0 3 224) HTTP flf.r»3570? f f . f f T V W *® K »d n (rr« 1 2ט3 0',W10 0 0 3 2250 1«7820612S8000<ht H U P te a . 56 786 . • > 1183 0)0 10 0 0 3 2251 h i IP 060U363W COOUJCW 1 8 ho d ״י im rM l. 2i03 0)0 1 OOO 322C • קי ן ftfC|v».»w HTTP Cfr»XC7? M hoi d iM rm i .,MS 0M־ 1000 3 2253 828>18 1-Sani2ahb j HTTP C6:0636124 06(636718 ^ I « n l 1a rr« l... 3333 0)0100032254 '»ra20612t<«)BCTht HI TP C6:Cfc 36.166 0606367*9 *יי8 2125 358) 0 10 0 0 3 2255 •3873206126t01icdn.. HI TP 06:0636216 060636611 FVrtJ he! diccrriKl.. 2(21 0)01OOO322S 397920G1;&£C|1־«fce HTTP C£C&36־££ 0&0K36&2? PV.9־hat iice rrcc t.. 1124 0)010 0 0 3 2257 i»78206l260Hiceht־ HTTP C6C636366 06(6368(6 tted2«rr«*... 1120 0)010.0.0.32258 157.1652262660) l«fc HTTP 06. C& 36.606 060637.436 FVjB h s d.ccrrecl... 1533 0

n*Vlet»7naQa7}

_L *a

6 5 ? 0 7 4 2d 4 ־ 6 3 61 ג ־. SO 3a 20 43 50 3d 22 40if ?5 S2 20 42 5? 53 2074 65 3• 20 53 (1 74 2c32 30 31 31 20 30 30 3a?4 011 0a 4 ) ii 6e (e 65&c Cl ?3 65 CJ 0■ 43 i lt>0 67 30 32 20 *3 68 4ל

61 72 75 3a 20 41 63 6364 69 60 6P Od 0a 60 334f i l 20 id 4? 56 61 2055 4e 4? 22 Od 0» 44 6120 32 36 20 4d 61 ?2 203S 32 3a 33 31 20 47 4tJ61 74 6? 6( 6■ 3• 20 6 )60 ?4 65 6a ?4 2d 4c 65

W i 30(« 5et.26 bar 2011 00

?2 31 CUT Conn* ct*oc .iv s * . Co Btwt-Uimh 20

000160000176000192000206000224000240000256000272

f t All«5ctr»*y^ SMT P • Ouiflonfl e ״id |25| K C Ir«m^1*fflalf110l־C־«

peal line dsis is• HTTP P * • / ■ Web (9060)

Cl Cl Cl 3 to 10 0 0 5 ד10003to 203.85.231.83 |m־j.Brc> ’00031# 68 71 209 176 |abc goc 100031a 50 27 06 207 |edn>m)k| 100031a 58.27.86.123 ledge Bus 100031a 68 71 220 165 |abc cm 100031a 202 79 210 121 Ibi.ta* 10003b) 205 128 84.126 100031a 50 27 86 105 |f«*\1ur 100031a 58 27.06.21; I1d1«u.«t> 100031a 157 166 255 216 Mdi c 100031a 157 166 255 31 |r«iv, 100031s 203 85 211 148 lilt 100031a 203 106 85 51 |b kcmc 100031a 50 27 06 225 |s etrrcd 100031a 157.166.226.26 Iwmc 100031a 199 93 62 126 100031a 203.106.85.65 |1pe.<Mr1000310 207 46148 32 !view* 100031a 66 235 130 59 Ix-ffccm 100Q3la 203.106.85.177 Ib.scae 100031a 0 26 207 126 ledn vrtt 100031a 157 166 226 32 |tve±a 100031a 58 27 22 72 |r.«*\tum 100031a 190 70 206 126 |icchk 100031a 157 166 226.46 ledlnr 100031a 66 235 142 24 |rrel1b)< 100031a 203 106 05 176 Idi Mrw1000311 157.166.255.13 Immma 100031a 68 71 209173 |4bc fl0<

ISL

Q2 In theConnection Tree, if a protocol o r a c lien t/server pair is selected, the Details Pane displays the summary inform ation o f all o f the socket connections tha t are in progress for the selected item on the Connection Tree.

F IG U R E 13.14: P ro s y W o rkb en ch G en erated T ra ffic in W in d o w s 7 V irtu a l M ach in e


D o c u m e n t a l l d i e IP addresses, open ports a n d running applications, a n d

p r o t o c o ls y o u d is c o v e r e d d u r i n g d ie la b .





P r o x y W o r k b e n c h

P r o x y s e r v e r U s e d : 1 0 .0 .0 .7

P o r t s c a n n e d : 8 0 8 0

R e s u l t : T r a f f i c c a p t u r e d b y w i n d o w s 7 v i r t u a l

m a c h in e ( 1 0 .0 .0 .7 )



Q u e s t i o n s

1. E x a m in e t h e C o n n e c t i o n F a i lm e - T e r m in a t i o n a n d R e fu s a l .

2 . E v a lu a t e h o w r e a l - t im e l o g g in g r e c o r d s e v e r y t h in g i n P r o x y W o r k b e n c h .


0 Y e s □ N o


0 C l a s s r o o m □ i L a b s




HTTP Tunneling U sing HTTPortH T T P o / f is a program from H T T H o s f that mates a transparent tunnel through a p m x j server orf/renall


A t t a c k e r s a r e a lw a y s i n a h u n t f o r c l i e n t s t h a t c a n b e e a s i ly c o m p r o m i s e d a n d

t h e y c a n e n t e r t h e s e n e t w o r k s w i t h I P s p o o f i n g t o d a m a g e o r s te a l d a ta . T h e

a t t a c k e r c a n g e t p a c k e t s t h r o u g h a f i r e w a l l b y s p o o f i n g d i e I P a d d r e s s . I f

a t t a c k e r s a r e a b le t o c a p t u r e n e t w o r k t r a f f i c , a s y o u h a v e l e a r n e d t o d o i n t h e

p r e v i o u s l a b , t h e y c a n p e r f o r m T r o j a n a t t a c k s , r e g i s t r y a t t a c k s , p a s s w o r d

h i j a c k i n g a t t a c k s , e t c . , w h i c h c a n p r o v e t o b e d is a s t r o u s f o r a n o r g a n i z a t i o n ’ s

n e t w o r k . A n a t t a c k e r m a y u s e a n e t w o r k p r o b e t o c a p t u r e r a w p a c k e t d a ta a n d

t h e n u s e t h i s r a w p a c k e t d a ta t o r e t r i e v e p a c k e t i n f o r m a t i o n s u c h a s s o u r c e a n d

d e s t i n a t i o n I P a d d r e s s , s o u r c e a n d d e s t i n a t i o n p o r t s , f la g s , h e a d e r l e n g t h ,

c h e c k s u m , T i m e t o L i v e ( T I L ) , a n d p r o t o c o l t y p e .

T h e r e f o r e , a s a n e t w o r k a d m i n i s t r a t o r y o u s h o u l d b e a b le t o i d e n t i f y a t t a c k s b y

e x t r a c t i n g i n f o r m a t i o n f r o m c a p t u r e d t r a f f i c s u c h a s s o u r c e a n d d e s t i n a t i o n I P

a d d r e s s e s , p r o t o c o l t y p e , h e a d e r l e n g t h , s o u r c e a n d d e s t i n a t i o n p o r t s , e t c . a n d

c o m p a r e t h e s e d e t a i ls w i t h m o d e l e d a t t a c k s ig n a tu r e s t o d e t e r m in e i f a n a t t a c k

h a s o c c u r r e d . Y o u c a n a ls o c h e c k t h e a t t a c k lo g s f o r t h e l i s t o f a t t a c k s a n d t a k e

e v a s iv e a c t io n s .

A l s o , y o u s h o u ld b e f a m i l i a r w i t h t h e H T T P t u n n e l i n g t e c h n iq u e b y w h i c h y o u

c a n i d e n t i f y a d d i t i o n a l s e c u r i t y r i s k s t h a t m a y n o t b e r e a d i l y v i s i b l e b y

c o n d u c t i n g s im p le n e t w o r k a n d v u l n e r a b i l i t y s c a n n in g a n d d e t e r m in e t h e e x t e n t

t o w h i c h a n e t w o r k I D S c a n i d e n t i f y m a l i c i o u s t r a f f i c w i t h i n a c o m m u n i c a t i o n

c h a n n e l . 111 t h i s l a b y o u w i l l l e a r n H T T P T u n n e l i n g u s in g H T T P o r t .


T h i s l a b w i l l s h o w y o u h o w n e t w o r k s c a n b e s c a n n e d a n d h o w t o u s e HTTPort a n d HTTHost


111 d i e la b , v o u n e e d d ie H T T P o r t t o o l .

I C O N K E Y

V a lu a b le

in f o r m a t io n

T e s t v o u r

k n o w le d g e

3 W e b e x e rc is e





■ H T T P o r t i s l o c a t e d a t D:\CEH-Tools\CEHv8 M odule 03 Scanning N etw orks\Tunne ling Tools\HTTPort

■ Y o u c a n a ls o d o w n l o a d t h e la t e s t v e r s io n o f HTTPort f r o m d i e l i n k

h t t p : / / w w w . t a 1 g e t e d . o r g /

■ I f y o u d e c id e t o d o w n l o a d t h e l a t e s t v e r s io n , t h e n s c r e e n s h o t s s h o w n i n


■ I n s t a l l H T T H o s t o n W indow s Server 2008 V i r t u a l M a c h i n e

■ I n s t a l l H T T P o r t o i l W indows Server 2 0 1 2 H o s t M a c h i n e

■ F o l l o w t h e w i z a r d - d r i v e n i n s t a l l a t i o n s te p s a n d in s ta ll it.

■ A d m in is tra tive p riv ileges is r e q u i r e d t o r u n d i i s t o o l

■ T h i s l a b m i g h t n o t w o r k i f r e m o t e s e r v e r f i l t e r s / b l o c k s H T T P t u n n e l i n g

p a c k e t s



O verview of HTTPortHTTPort c re a te s a t r a n s p a r e n t t u n n e l i n g t u n n e l d i r o u g h a p r o x y s e r v e r o r f i r e w a l l .

H T T P o r t a l lo w s u s in g a l l s o r ts o f I n t e r n e t S o f t w a r e f r o m b e h in d d ie p r o x y . I t

b y p a s s e s HTTP proxies a n d HTTP, firew a lls , a n d transparent accelerators.

L a b T a s k sB e f o r e r u n n i n g d ie t o o l y o u n e e d t o s t o p IIS Admin Service a n d World Wide Web Publishing services o n W indows Server 2008 v irtua l machine.

G o t o A dm in istra tive Privileges Services IIS Admin Service, r i g h t

c l i c k a n d c l i c k t h e Stop o p t io n .

01 HTTPortcreates a transparent tunnel through a proxy server or firew a ll. This a llow s you to use all sorts o f In ternet so ftw are from behind the proxy.

Stopping IIS Services

2.

£ " Tools dem onstrated in th is lab are available in D:\CEH- Tools\CEHv8 Module 03 Scanning Networks



http://www


Ka-n- * I CeKri3bcn | 5:afc_s'*,FurcBon Discovery Provide Host hostcroca.. , Stated

P-rcoco Decovery Resource PJ>lc3ten P-behes t... Started■CC-rOvO Poicy Cent The serve... Started

Key aid Cerbfeate Mens9»trp-t P-o-rde* X...£,h\jma1 :rtc'frc• Devi:• Access E'aolas 9aCfchyMr-v m u txchanoa s w a P0־vd81 a .. . started<|1Hyoer-V Gue»t Shutdown Se׳v»oe fvovdes a .. . Started<£ Hyp*r«V Utatoeat Stive* Va-iton th... 5 hr ted' ,hvsf'-v Tir* Syndvon uaton Save• Syrdvcn j . SUr'tid

V0iuneSh«30WC00VR«UMCDr » ׳X•'־׳ cocfdnjte _ 1urted ‘

£.32 a־־d Au0!:p tPMC *CeyUg Mod Jet Cfe Inter active services Detection

S tJt________ St* lid

4 Internet Cornecton Shwrng CCS) IP helper

£,IPsec PoIcy Agent

P.-llv jn...Res -reR«3rt ! * "

Started . 5 :cited

* JkctR.t1 £>־trbuted Transaction Coordnsso־ v£: AITmks ► 3te , StartedÎrtt-tover To»og>• Discovery 1“tepee- --־ 0...?iwicroajft KETFrans0״rk NGB< v3 0.50727_kfr■ Started;*Microsoft .rcrFraroenorkNGei v: 0.50727_>« Proprf br% t .... Stated'■*, M0090* Fb־׳e Channel stfo'Ti Res^Cstcn Se* ..t ־8

wb , ^ן MCT0M*t 6CSI ]ntigtor Service^Vbon*! Software Shacton Copy P'ordfi Wragn «...Q,MoJU Manteimce Save• Th*M00IU..

_ J

IIS Admin Scrvict

Sioo th- service 5.estart thesevce

Docrpton:Enabltc 6 « י11 ־ > « to * d n ־1 v j ! t •־ ::s

׳ יי־ ׳ » : « * « « H5 ׳X 'JtK C»r*ou׳M10n *or ימ« SK*® one FTP 1*rvior* thumvte • ttauprd. :־»i« v«' n׳ il 2* u1«6* to amf g.«« S-—3 or ftp. :, the servce e c jx c «. an,se1/׳׳ee* *v9!t»porv dfpeo; o• * mI fa I tottait.

Stana*.- J ץ ~>t:p jcrvce IL Acrrr StrVtt on LOCO CaiOutt*

F IG U R E 14.1: Sto p p in g I IS A d m in Se rv ice in W in d o w s Se rve r 2008

3 . G o t o Adm in istra tive Privileges Services World Wide Web Publishing Services, r i g h t - c l i c k a n d c l i c k d ie Stop o p t io n .

*te Action jjen KelsN^ltwl רי Ab- IB rrfE f [ > | E

I S « v « « (local)Servwj ClomJ)

v;״ tid Wide Web PwbW-mg SrrvK.1 ־ 1 CwJOCor I S !a w jP1cr>*0M זו...

צ2י ne servceRf*t»r;8י« t t ' t e

SfcvOU'1 S’ Mijs. Coov CfetYea Marâoerent Se ce>׳־

MWU0K*...TUtWtbM..

% 1Vrd>/.9 AudO Mo'eOcS a...C«so1 a ion:(V»1׳d f1 Web an w־ r< rr end » :דדלמי׳ו־כ0ח rry .y ■ f c ־: rr״ r lnforrr~-.cn 5e ra * -Hjrage ־

^ «v׳xto/.9 Aucto ErekJrtit s J s e ^ 1Y־־<to/.S Cotor SySteri

Ha'sOeid... he W־ aPl..

£(Mfld0M Dectoymeot Sevces Serve Ha-aoesr... ^ M m s Driver Fourdaoon - Lee ״cce Diver “ ־ * ׳ xr- Ha־׳aoe; u...& s./׳d3־־Y» ..־■״1 ׳0׳ Repo8׳ יט Semoe i^%Yrd»/.9 ? e׳ i: Cotecto % \V'tkr/.$ ®׳e it uw ^!Yrdo/.s F»e.\dl

Ab1־.-sero...Thssevfc...Thssevfc...ViWowsF..

Ste tec

Stated . Stated

$*Yrd>/.e CngUi/ler I aat Adds, mod■.״CJt«Yrtto/.9 1 1 ו׳5י׳»יו״» קמי׳ ftovd» a ... Stated

«v־׳d0/9 ModJes trwtalei & »ab«n s... StatedCi«v׳xto/.® BioceM Activation Seivd I ^ r ...Undo •יזל Stated^ ■V'cto/n 5«mote M3׳V0e״«*nt M Re*»t V J« o ״ »B... Stated

tr ya it m *■ »

Mints׳* S.. . stated^ %Y׳Yfew,« uoflat* stated^ *v rH n p webP'oxvAuto-oaeovJ ^ . v Autocar *c ->«׳

Perfcrwsrce Aflao*׳

KrHTTPl...

H n y r B f i^***TMC... Pre ־0*6 0 ״

taecr׳'<08'\• bet) StatedJE3 S JB

\£ x ard e; A Sarri8•: /' ;n־?o'c y-1:c • ■er: -vb1,'־. g;'׳ c -T:־£ r c׳ t.:• r: ;0 ^ ־־0־

& It bypasses HTTPS and HTTP proxies, transparent accelerators, and firew a lls . It has a built-in SOCKS4 server.

F IG U R E 1 4 2 : Sto p p in g W o rld W id e W e b Services in W in d o w s Se rve r 2008

O p e n M a p p e d N e t w o r k D r i v e “ CEH-Tools" Z:\CEHv8 Module 03 Scanning Networks\Tunneling Tools\HTTHost

O p e n HTTHost f o l d e r a n d d o u b le c l i c k htthost.exe.

T l i e HTTHost w iz a r d w i l l o p e n ; s e le c t d ie Options ta b .

O n d ie Options ta b , s e t a l l d i e s e t t in g s t o d e f a u l t e x c e p t Personal Password fie ld, w h i c h s h o u ld b e f i l l e d i n w i t h a n y o t h e r p a s s w o r d . 111 d i i s

la b , d i e p e r s o n a l p a s s w o r d is km agic.'?

ט It supports 4 .

strong tra fficencryption, w h ich 5 .makes proxylogging useless, 6.

and supports7 .

NTLM and o therau thentica tionschemes.




8. C h e c k d ie Revalidate DNS names a n d Log Connections o p t i o n s a n d c l i c k

Apply

HTTHost 1.8.5

Netw ork

Bind e x te rn a l to :

10.0.0.0P ort:

[80

P e rs o n a l p a ssw o rd :

Bind l is te n in g to :

|0.0.0.0Allow a c c e s s fro m :

10.0.0.0

־] P a s s th r o u g h u n re c o g n iz e d r e q u e s t s to :

H o st n a m e o r IP : P o rt: O rig ina l IP h e a d e r fie ld :

| x O־ rig in a l־ IP|81

T im e o u ts :

1127.0.0.1

M ax. local b u ffe r :

־3 |0=1־2

ApplyR ev a lid a te DNS n a m e s

Log c o n n e c tio n s ־

S ta tis tic s ] A pplica tion log |^ 3 p tio n s jj" S e c u r'ty | S e n d a G ift)

F IG U R E 14.3: H T T H o s t O p tio n s tab

9 . N o w le a v e HTTHost i n t a c t , a n d d o n ’ t t u r n o f f W indows Server 2008 V i r t u a l M a c h in e .

1 0 . N o w s w i t c h t o Windows Server 2012 Host Machine, a n d in s t a l l H T T P o r t

f i o m D:\CEH-Tools\CEHv8 Module 03 Scanning Networks\Tunneling Tools\HTTPort a n d d o u b le - c l i c k httport3snfm .exe

1 1 . F o l l o w d ie w i z a r d - d r iv e n insta lla tion steps.

1 2 . L a u n c h t h e S ta rt m e n u b y h o v e r i n g d i e m o u s e c u r s o r i n t h e l o w e r - l e f t


F IG U R E 14.4: W in d o w s Se rve r 2012 - D esk to p ^ iew

1 3 . C l i c k d ie HTTPort 3.SNFM a p p t o o p e n d ie HTTPort 3.SNFM w in d o w .

& To se t up HTTPort need to po in t your brow ser to 127.0.0.1

& HTTPort goes w ith the predefined mapping "External HTTP proxy״ o f local port




5 t3 ft Administrator

ServerManager

Windows Power Shell

GoogleChrome

Hyper-VManager

HTTPort3.SNPM

i . m » 91 1

Con>puter

נ*

ControlPanel

V

Wyper-VVirtualMachine...

SOI Server incaknor Cent•!.״

n

£CommandPrompt

M021IUFirefox Nctwodc

■״״ ■“-ייF־־־ © if

ProxyWorkbea.

MegaPng

- T *8

Tools dem onstrated in th is lab are available in D:\CEH- Tools\CEHv8 Module 03 Scanning Networks

F IG U R E 14.5: W in d o w s Se rve r 2012 - A p p s

14 . T h e HTTPort 3.SNFM w i n d o w a p p e a r s as s h o w n i n d ie f ig u r e d ia t f o l lo w s .

F o r e ach so ftw a re to crea te cu sto m , g ive n a ll th e ad d resses fro m w h ic h it o p erates. F o r ap p lica tio n s th a t are d yn am ica lly ch an g in g th e p o rts th e re S o ck s 4-p roxy m o d e, in w h ich th e so ftw a re w ill crea te a lo c a l se rve r So cks (127 .0 .0 .1 )

־' r°HTTPort 3.SNFMS ystem j Proxy :j por m app ing | A bout | R eg iste r |

HTTP proxy to b y p a ss (b lan k = direct or firewall)

H ost n a m e or IP a d d re ss : Port:

Proxy req u ires au then tica tion U se rn am e : Passw ord!

B ypass m o d e :

Misc. op tions

U ser-A gent:

IE 6 .0

U se p e rso n al re m o te h o s t a t (b lan k = u s e public)

H ost n a m e or IP a d d re ss : Port: Passw ord:

I------------------------------ P I--------------

Start? \ 4—This bu tton helps

F IG U R E 14.6: H T T P o rt M a in W in d o w

1 5 . S e le c t d ie Proxy ta b a n d e n te r d ie host name o r IP address o f t a r g e te d

m a c h in e .

1 6 . H e r e as a n e x a m p le : e n t e r W indows Server 2008 v i r t u a l m a c h in e IP address, a n d e n te r Port number 80

1 7 . Y o n c a n n o t s e t d ie Username a n d Password f ie ld s .

18 . 111 d ie User personal remote host a t s e c t io n , c l i c k sta rt and d ie n stop a n d

d ie n e n t e r d ie t a r g e te d Host machine IP address a n d p o r t , w h i c h s h o u ld

b e 8 0 .




19 . H e r e a n y p a s s w o r d c o u ld b e u s e d . H e r e a s a n e x a m p le : E n t e r d ie p a s s w o r d

as ‘*magic״In real w orld environm ent, people som etim es use password pro tected proxy to make com pany employees to access the Internet.

2 0 . S e le c t d ie Port Mapping ta b a n d c l i c k Add t o c re a te New Mapping

Q H T T H o s t su p p o rts th e re g is tra tio n , b u t it is free an d p assw o rd - free - yo u w ill b e issu ed a u n iq u e ID , w h ich yo u can co n ta c t th e su p p o rt team and ask yo u r q u estion s.

2 1 . S e le c t New Mapping Node, a n d r i g h t - c l i c k New Mapping, a n d c l i c k Edit

1 - 1 °HTTPort 3.SNFM*בA bout | R eg iste r JPort m appingS y stem | Proxy

Static T C P/IP port m ap p in g s (tu n n e ls)

1םייים1

LEDs:

□□□םO Proxy

Q New m apping Q Local port

1-0(3 R em o te h o st

— re m o te , h o st, n a m e□ R em o te port

1_0

Select a m app ing to s e e sta tistics :

No s ta ts - se le c t a m app ingn /a x n /a B /sec n /a K

Built-in SOCKS4 server

W Run SOCKS se rv e r (po rt 1080)

A vailable in "R em ote Host" m o d e : r Full SOCKS4 su p p o rt (BIND)

? | 4— This b u tton helps

F IG U R E 14.8: H T T P o rt creating a N e w M ap p in g

r|a HTTPort3.SNFM | 3 ' ־ xS ystem Proxy | p 0 rt m ap p in g | A bout | R eg iste r |

HTTP proxy to b y p a ss (b lan k = direct or firewall)

Host n a m e or IP a d d re ss : Port:| 10 .0 .0 .4 |80

Proxy req u ires au th en tica tio n U se rn am e : Passw ord:

Misc. op tions

U ser-A gent: B ypass m o d e :| IE 6 .0 | R em o te h o s t

U se p e rso n al re m o te h o s t a t (b la n k * u s e public)

Host n a m e or IP a d d re ss : *ort: P assv » rd :|1 0 .0 .0 .4 I80 |............1

? | <—This b u tton h e lp s S tart

F IG U R E 14.7: H T T P o rt P ro x v settings \rin d o w




T3 3HTTPort 3.SNFMS y stem | Proxy m app ing | A bout | R eg iste r |

Static T C P/IP port m a p p in g s (tu n n e ls )

Add

R em ove

New m ao□ Local p

0 ■Editש

LEDs:

□ □□□ O Proxy

0 R em o te h o stre m o te , h o st, n a m e

(=J R em o te portL_o

Select a m app ing to s e e sta tistics :

No s ta ts - s e le c t a m app ing n /a x n /a B /sec n /a K

Built-in SOCKS4 serv er

W Run SOCKS serv er (po rt 1080)

A vailable in "R em o te Host" m o d e : r Full SOCKS4 su p p o rt (BIND)

? | 4 — This b u tton he lps

F IG U R E 14.9: H T T P o rt E d itin g to assign a m apping

2 2 . R e n a m e t h is t o ftp ce rtified hacker, a n d s e le c t Local port node; t h e n l i g h t -

c l i c k Edit a n d e n t e r P o r t v a lu e t o 21

2 3 . N o w r i g h t c l i c k o n Remote host node t o Edit a n d r e n a m e i t as

ftp .certifiedhacker.com

2 4 . N o w r i g h t c l i c k o n Remote port n o d e t o Edit a n d e n te r d ie p o r t v a lu e t o 21

r *1 HTTPort 3.SNFM - 1 ° r x •

1 S y stem | Proxy Port m app ing | A bout | R eg iste r |

r Static T C P/IP port m ap p in g s (tu n n e ls )

1=1 - .=•׳•.• /s Add0 Local port ־

5 -2 1 R em ove0 R em o te h o st

ftp .certifiedhacker.comR em o te port =

I— 21V

S elect a m app ing to s e e s ta tis tic s : LEDs:

No s ta ts - inactive ם □ □ □n /a x n /a B /sec n /a K O Proxy

1dulit־in serverW Run SOCKS serv er (po rt 1080)

A vailable in "R em o te Host" m o d e :I” Full SOCKS4 su p p o rt (BIND)

J ? | This b u tton he lps

F IG U R E 14.10: H IT P o r t S tatic T C P / IP p o rt m apping

2 5 . C l i c k Start o n d ie Proxy ta b o f H T T P o r t t o m i l d ie H T T P t u n n e l in g .

Tools dem onstrated in th is lab are available in D:\CEH- Tools\CEHv8 Module 03 Scanning Networks

S In th is kind o f environm ent, the federated search w ebpart of M icrosoft Search Server 2008 w ill not w o rk out-of- the-box because w e only support non-password pro tected proxy.



ftp://ftp.certifiedhacker.com



r־ a :HTTPort 3.SNFMS y stem ^ oxy | Port m ap p in g | A bout | R eg iste r |

- HTTP proxy to b y p ass (b lan k = direct or firewall)

H ost n a m e or IP a d d re ss : Port:|1 0 .0 .0 .4 [80

Proxy req u ire s au th en tica tio n U se rn am e : Passw ord:

B ypass m o d e :

ד נ [ R em o te h o s t

Misc. op tions

U ser-A gent:

IE 6 .0

U se p e rso n al re m o te h o s t a t (b lan k = u s e public)

H ost n a m e or IP a d d re ss : Port: Passw ord:|10.0.0.4 [So ״***ן*

? | ^— This b u tto n he lp s

F IG U R E 14.11: H T T P o rt to start tunneling

2 6 . N o w s w i t c h t o d ie W indows Server 2008 v i r t u a l m a c h in e a n d c l i c k d ie

Applica tions log ta b .

2 7 . C h e c k d ie la s t l i n e i f L is te n e r lis ten ing a t 0.0.0.0:80, a n d d i e n i t is m i m i n g

p r o p e r ly .

( J3 H T T P is th e basis fo r W e b su rfin g , so i f yo u can fre e ly s u rf th e W e b fro m w h e re yo u axe, H T T P o r t w ill b rin g yo u th e re s t o f th e In te rn e t ap p lica tio n s .

HTTHost 1 A 5

A p p lic a t io n lo g :

M A IN : H T T H O S T 1 .8 .5 PERSONAL G IF T W ARE DEMO s t a r t i n g ^M A IN : P ro je c t c o d e n a m e : 9 9 re d b a llo o n sM A IN : W r it te n b y D m it ry D v o in ik o vM A IN : (c ) 1 9 9 9 -2 0 0 4 , D m it ry D v o in ik o vM A IN : 6 4 t o t a l a v a ila b le c o n n e c t io n (s )M A IN : n e tv /o rk s ta r te d M A IN : RSA k e y s in i t ia l iz e d M A IN : lo a d in g s e c u r ity f i l t e r s . . .M A IN : lo a d e d f i l t e r " g r a n t . d l l " (a llo w s a ll M A IN : lo a d e d f i l t e r " b lo c k .d l l " ( d e n ie s al M A IN : d o n e , to ta l 2 f i l t e r ( s ) lo a d e dM A IN : u s in g t r a n s fe r e n c o d in g : P r im e S c ra m b le r6 4 /S e v e n T e g r a n t .d l l : f i l te r s c o n e c tio n s b lo c k .d l l : f i l te r s c o n e c tio n s

!L IS TE N E R : l is te n in g a t C.C.0.C:sT|

c o n n e c t io n s w ith in I c o n n e c t io n s w ith ir

z ]O p t io n s S e c u r ity | S e n d a G ift( Application logS ta tis t ic s

Q T o m ake a d ata tu n n e l th ro u g h th e p assw o rd p ro te c te d p ro x y , so w e can m ap ex te rn a l w e b s ite to lo c a l p o rt, an d fed e ra te th e search re su lt.

F IG U R E 14.12 H T T H o s t A p p lica tio n log section

2 8 . N o w s w i t c h t o d ie W indows Server 2012 h o s t m a c h in e a n d t u r n ON d ie

W indows Firewall

2 9 . G o t o W in d o w s F i r e w a l l w i t h Advanced Security




3 0 . S e le c t Outbound rules f r o m d ie l e f t p a n e o f d ie w i n d o w , a n d d ie n c l i c k

New Rule i n d ie r i g h t p a n e o f d ie w in d o w .

Windows Firewall v/ith Advanced Security־°:-■ - ־

Fie Action View Help

Outbound Rule*New Rule...

V Filter by Profile

V Filter by State 7 Filter by Group

View O Refresh

Export List...Q Help

Outbound RuinName Group Profile tnatfed A©B'anchCache Content R«t1i«val (HTTP.O... BranchCache- Content Retr... A l No© BranchC ache Horted Ca<t* Cbent IHTT... BranchCache - Hosted Cech - Al No©BranchCache Hosted Cache Se»ve1(HTTP. BranchCache - Hosted Cadi. Al No©BranchC ache Peer Dncovery (WSDOut) BranchCache - PeerOtscove... Al No© Co׳e Networking • DNS <U0P-0ut) Core Networking Al Vet ■©Core Networking- D>1v>m-e Config... Core Networking Al Yes©Core Networking ־ Dynamic Host Config... Core Networking Al rei©CoreNetworkng ־ Grcup Policy (ISA5S־~ Core Networking Deane■! Ves©Core Networking - 5׳cup Poky (NP-Out) Core Networking Domain Yes©CoreNetworkeig - Group Policy CTCP-O-. Core Networking Dcm5»1 Yes©Core Networking - Internet Group Man a... Core Networking Al Yes©Core Networking ־ IPHT7PS (TCP-Out] Core Networking Al Yes©Core Networking- IP v ffM C u l) Core Networking Al Ves©Core Networkng ־ Mulbcost listener Do-. Core Networking Al Ves©Core Networking - Mulocast Listener Qu~ Core Networking Al Yes©Core Network*!g - Mufceost listener Rep~ Core Networking Al Ves©Core Networking • Mutecjst Listener Rep... Core Networking Al Yec©Core Networking - Neighbor Dncovery A... Core Networking Al Ves©Core Networking *fc1(j־׳oo׳ Ceccvery S... Core Networking Al Ves©Core Network rig .-Packet loo Big (ICMP ־ Core Networking Al Ves©Core Networking Par3meterProblem (1- Core Networking Al Ves©Core Networking - ficutet Advertnement... Care Networking Al Vet©Core Networking - P.cuur Soictaeon (1C.. Core Networking Al Yes©Core Networkng - Itirdo iLOP-Outl Core Networking Al Vet

v '"■i T r" ....... -ז

Windows F ircw.511 with Adv! Q Inbound Ruin

■ Outbound Rules |Connection Security Ru

^ •ן Monitoring

F IG U R E 14.13: W in d o w 's F ire w a ll w ith A d van ced Secu n ty w in d o w in W in d o w s Se rve r 2008

3 1 . 111 d ie New Outbound Rule Wizard, s e le c t d ie Port o p t i o n i n d ie Rule Types e c t io n a n d c l i c k Next

pNew O utbound Rule Wizard ■

R u le Type

Select the type cf firewall rule to create

Steps.

■j Rule Type What :ype d rue wodd you like to create?

w Protocol and Ports

« Action O Program

« Profle Rde Bidt controls connections for a program.

« flame | Port <§יRJe W controls connexions for a TCP or UDP W .

O Predefined:

| BranrhCacne - Content Retrieval (Ueee HTTP) v 1RUe t a controls connections for a Windows experience

O CustomCu3tomrJe

< Beck Next > 11 Cancel

F IG U R E 14.14: W in d o w s F ire w a ll selecting a R u le T yp e

£ Tools זdem onstrated in th is lab are available in D:\CEH- Tools\CEHv8 Module 03 Scanning Networks

S Tools dem onstrated in th is lab are available in Z:\ Mapped Network Drive in V irtual Machines



http://HTTP.O

3 2 . N o w s e le c t All rem ote ports i n d ie Protocol and Ports s e c t io n , a n d c l i c k

Next


New Outbound Rule Wizard

Protocol and Porta

Specify the protocols and ports to which ths r ie apofes

Does t־*s rule aopf/to TCP or UDP?<!•> TCP O UDP

Does tnis nie aoply tc all remote ports or specific renote port*9

! ? m o te p o d s

O Specific remote ports:Example 80.443.5000-5010

CancelNed >< Eacx

Steps

+ Ru• 'yp•

4 Prctocol and Ports 4 Acaor

4 Profile 4 Name

Q H T T P o r t d o e sn 't re a lly ca re fo r th e p ro x y as su ch , it w o rk s p e rfe c tly w ith fire w a lls , tra n sp a ren t a cce le ra to rs , N A T s and b a s ica lly a n y th in g th a t le ts H T T P p ro to co l th ro u g h .

F IG U R E 14.15: W in d o w s F ire w a ll assigning P ro to co ls and Po rts

3 3 . 111 d ie Action s e c t io n , s e le c t d ie Block the connection '’ o p t i o n a n d c l i c k

Next

New O utbound Rule Wizard

ActionSpecify the acton to be taken when ס connect!:>n notches the condticno specified in the n ie .

Steps:4 HUe Type What acbon ohodd b« taken whon a connexion match08 tho opochod conoticno7

4 Protocol and Porta O Alow ttv connectionTho nclxJes cornoctiona that 0סו piotectod wth IPaoc 09 wel cs t103׳c otc not.

O Alow I tic cwviediui If M Is secuieThs ncbdes only conredions that have been authent1:ated by usng IPsec. Comecticns wil be secued using the settngs in IPsec p־op5rtes and nJes r the Correction Security RuteTode.

4 Action

4 Profile

4 Name

Q You need to install htthost on a PC, who is generally accessible on the Internet - typically your "home" PC. This means that if yon started a Webserver on the home PC, everyone else must be able to connect to it. There are two showstoppers for htthost on home PCs

' • ) H o c k t h e c o n n e c t io n




F IG U R E 14.16: Windows Firewall setting an Action

3 4 . 111 d ie Profile s e c t io n , s e le c t a l l t h r e e o p t io n s . T h e r u le w i l l a p p ly t o :

Domain, Public. Private a n d d i e n c l i c k Next

*New O utbound Rule Wizard

ProfileSpecify the prof les for which this rule applies

When does #מו rule apply7

171 Daman

Vpfces *I en a computer is connected to Is corporate doman.

0 Private3ppies wt en a computer is connected to a pivate oetwak bcabcn. such as a home orworcpi ce

B PublicVp*״c3 0ד a ccmputcr io cconcctcd to a pjblc nctwoiK kcooon

CancelNext >c Eacx

Skin* Ru*Typ#

4 3rctocol anc Ports# *cbor

3rcfile

Q NAT/firewall issues: You need to enable an incom ing port. For HTThost it w ill typ ica lly be 80(http) or 443(https), but any port can be used - IF the HTTP proxy a t w ork supports it ־ some proxys are configured to a llow only 80 and 443.

F IG U R E 14.17: W in d o w s F ire w a ll P ro file settings

3 5 . T y p e Port 21 Blocked i n d ie Name f i e ld , a n d c l i c k Finish

New O utbound Rule Wizard

N am e

S06dfy the rams and desorption of this lie.

None|?or. 2 ' B b d c e J

Desaiption (optional):

CancelFinish< Back

ZZy Tools dem onstrated in th is lab are available in D:\CEH- Tools\CEHv8 Module 03 Scanning Networks

£ 3 T h e d e fa u lt T C P p o rt fo r F T P co n n e c tio n is p o rt 21. So m etim es th e lo c a l In te rn e t S e rv ic e P ro v id e r b lo ck s th is p o rt an d th is w ill re su lt in F T P

Eth ica l Hacking and Countermeasures Copyright C by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited

C®W<EAfl*1MaW&al Page 231


F IG U R E 14.18: W in d o w s F ire w a ll assigning a nam e to Poet

3 6 . T h e n e w m le Port 21 Blocked is c r e a te d as s h o w n i n d ie f o l l o w i n g f ig u r e .

1-1“ 1 * :Windows Firewall with Advanced Security

Fie Action View Hdp

Actions

Outbound RulesNew Rule...

V Filter by Profit•V F liter by Stirte

V Filter by Group

View

(Oj Refresh [a» Export List...

L i Help

Port 21 Blocked* Disable Rule

4 cut Gfe Copy

X D«l«t«

(£| Propeitie*

U Help

Al:1AlAlAlAlAlDomainDomainDomain

AlAlA lAlAlAlAlAlAlA lAlAlAl

BranchCache • Content Retr..Branch( at hr • Hotted ( ac hBranchCach• • HuiteJCachBranchCache • Peer Discove..Core NetworkingCore NetworkingCore NetworkingCore NetworkingCore NetworkingCore NetworkingCore NetworkingCote NetworkingCore NetworkingCore NetworkingCore NetworkingCore NetworkingCor• NetworkingCore NetworkingCore NetworkingCortNttwQiking Core Networking Core Networking Core Networking

Na[O^Port 21 Blocked©BranchCache Content Rctrcvtl (HTTP-0.. ^ Branch(a 1 he Hotted Cache Client (H it . 0 BianchCach* Hosted Cache $erv*1(HTTP... ©BranchCache Peer Cn<o.er/ //SD Cut) ©Core Networking ־ DNS(UDP-OutJ © Coir Networking- Dynamic Hod Config.. ©Core Networking - Dynamic Host Corvfig... ©Core Networking - Group Pcfccy CLSASS-- @PCore Netwoit'ing - Grcup PcEcy (fJP-Out) ©Core Networking - Group Poicy (TCP-O-. ©Core Networking - internet Group Mana... ©Core Ndwwiing- lPHTTPS(TCP-OutJ ©Core Networking - (Pw6-0ut)©Core Networking Listener Do״©Core Networking Muh < yt* listener O j״. ©Cote Networking - Mul!< aU Iktenet Rep. ©Cor« Networking • Vuh cast .!s:«n«r Rep. ©Core Networking rfcignfccf Discovery A... © Cor. 1 NetmD1tmg ־ Meaghbct Discoveiy 5 , © C 016 Nstworking - Pe.ktlTv. Big KM P.. ©Core Networking - Parameter Protolem (I.. ©Core Networking ־ Router A<hert1sement... ©Core Networking - Router SoKckation (1C...

Windows Firewall with Adv; C nfcound Rules C Outbound Rules

Connection SecuntyRul t Monitoring

F IG U R E 14.19: W in d o w s F ire w a ll N e w ru le

3 7 . R ig h t - c l i c k d ie n e w ly c r e a te d r u le a n d s e le c t Properties

Windows Firewall with Advanced Security*File Action View Hdp

* ^ ►י q !I Actions

Outbound Rules -New Rule...

V Filter by Profile ►V Filter by State ►V F liter by Group ►

Vi*w jO! Refresh ^ Export Litt... Q Help

►

Port 21 Blocked -♦ Disable Rule

4 c״t•41 CopyX Delete

Properties0 Help

Group * Profie Ervsl

Disable RaleBra nc hCac he ־ CorBranchCache - Hos Cut

BranchCache ־ Ho: Copy

BranchCache - Pee Core Networking Lore Networking

Delete

Properties

HdpCore NetworkingCore Networking Dom*n YetCore Networking Dom»n VesCore Networking Dom»n YesCore Networking Al YetCore Networking Al YesCore Networking Al YesCore Networking Al YesCore Networking Al YesCore Networking Al YesCore Networking Al YesCore Networking Al YesCore Networking Al YesCore Networking Al Yb

Core Networking Al YesCore Networking Al YCSCore Networkingr ... n -.-----11—

Al Yes

NameO.P01t21 Blocked^BranchCache Content Retrieval (HTTP-O״. ©BranchCache Hosted Cache Ciem(HTT״. ©BranchCache Hosted Cechc Saver(HTTP_ ©BranchCache Peet Disccvay (WSD-Ckjt) ©Cote Networbng - Df5 (U0P-0ut) ©Core Networking D>rwm : Host Ccnfig. ©Core Networbng • D>neo>c Most Config... ©Cote Networbng • Group Policy (ISASS-... ©Core Networking Group Policy (NP-Out) ©Core Networbng Group PolKy(TCP-0.- ©Core Networbng • Internet Group kbiu.. ©Core Networbng IPHTTPS(TCP-0ut) ©Core Networbng - IPv6 (1P»־$׳<XjtJ © Coie Netwoibng - Mufticsst Listener Do... ©Core Networbng - Multicast Listener Qu... ©CoreNerwcrbng - MJbcsst Listener Rep... ©Cote Netwoibng - Mulbcest Listener Rep...©Core Networbng - Neighbor Discovery A״. ©Core Networbng Neighbor Discovery S... I^Ccie Netwoibng ■ Packet Too Big (ICMP... ©Cote Networbng • Parameter Problem (1-״ ©Core Networbng Reuter Atf trtscment.- ©Core Netwoibng * Rcotei Sol*׳tation (1C~

gf Windows Firewall with Adv; f t inbound Rules O Outbound RulesConnection Security Rul

X/ Monitoring

the properties dialog box foi the tuner it le»un

F IG U R E 14.20: W in d o w s F ire w a ll new ru le properties

3 8 . S e le c t d ie Protocols and Ports ta b . C h a n g e d ie Remote Port o p t i o n t o

Specific Ports a n d e n t e r d ie Port num ber as 21

3 9 . L e a v e d ie o t h e r s e t t in g s a s d i e i r d e fa u l t s a n d c l i c k Apply d ie n c l i c k OK.

^ H T T P o r t d o e sn 't re a lly ca re fo r th e p ro x y as su ch : it w o rk s p e rfe c tly w ith fire w a lls , tra n sp a ren t a cce le ra to rs , N A T s an d b a s ica lly an y th in g th a t le ts th e H T T P p ro to co l th ro u g h .

S H T T P o r t th en in te rce p ts th a t co n n e c tio n an d ru n s it th ro u g h a tu n n e l th ro u g h th e p ro x y.

£ 7 E n a b le s y o u to b ypass y o u r H T T P p ro x y in case it b lo ck s yo u fro m th e In te rn e t




i— ‘ W ith H T T P o r t , yo u can use va rio u s In te rn e t so ftw a re fro m b e h in d th e p ro x y , e .g ., e-m ail, in s ta n t m essengers, P 2 P file sh arin g , IC Q , N e w s , F T P , IR C e tc. T h e b asic id ea is th a t yo u set u p yo u r In te rn e t so ftw a re

4 0 . T y p e ftp ftp .certifiedhacker.com i n t h e c o m m a n d p r o m p t a n d p r e s s

Enter. T h e c o n n e c t i o n is b lo c k e d i n W indows Server 2008 by firew a ll

Port 21 Blocked Properties*ד

jerteral_________Pngams and Services Remote ConpjiefsProtocolt and Fore | Scope | Advancec j Local Princpab

All Potto

Exampb. 80. 443.5003-5010

FVwocob and po*s

Prctocdtype:

Prctocd runber

Loco port

Specife PatsRemote port

[21Example. 80. 443.5003-5010

I Custonizo.hten־et Gortnd Message Protocol (CMP)«ting*:

F IG U R E 14.21: F ire w a ll P o rt 21 B lo ck ed Pro p erties

£ 3 H T T P o r t d oes n e ith e r freeze n o r hang . W h a t yo u are ex p e rien c in g is k n o w n as ״b lo ck in g o p e ra tio n s ”

F IG U R E 14.22: ftp co n n ection is b locked

4 1 . N o w o p e n d ie c o m m a n d p r o m p t 0 11 d i e W indows Server 2012 h o s t

m a c h in e a n d t y p e ftp 127.0.0.1 a n d p r e s s Enter

7 ^ H T T P o r t m akes it p o ss ib le to o p e n a c lie n t sid e o f a T C P / IP co n n e c tio n and p ro v id e it to an y so ftw are . T h e ke yw o rd s h e re are : "c lie n t" an d "a n y so ftw a re ".




F IG U R E 14.23: Ex ecu tin g ftp com m and


D o c u m e n t a l l d i e I P a d d re s s e s , o p e n p o r t s a n d r u n n i n g a p p l ic a t io n s , a n d p r o t o c o ls



H T T P o r t

P r o x y s e r v e r U s e d : 1 0 .0 .0 .4

P o r t s c a n n e d : 8 0

R e s u l t : f t p 1 2 7 .0 .0 .1 c o n n e c t e d t o 1 2 7 .0 .0 .1



Q u e s t i o n s

1. H o w d o y o u s e t u p a n H T T P o r t t o u s e a n e m a i l c l i e n t ( O u d o o k ,

M e s s e n g e r , e tc . )?

2 . E x a m in e i f s o f t w a r e d o e s n o t a l l o w e d i t in g d ie a d d re s s t o c o n n e c t t o .


e s0 Y


0 C l a s s r o o m

□ N o

□ iL a b s



B asic N etw ork Troubleshooting Using M egaPingMegaPing is an ultimate toolkit thatprovides complete essential utilities for information system administrators and I T solution providers.

i c o n k e y L a b S c e n a r i o

Y o u h a v e l e a r n e d i n t h e p r e v i o u s l a b t h a t H T T P t u n n e l i n g is a t e c h n i q u e w h e r e

c o m m u n i c a t i o n s w i t h i n n e t w o r k p r o t o c o l s a r e c a p t u r e d u s in g t h e H T T P

p r o t o c o l . F o r a n y c o m p a n ie s t o e x i s t 0 11 t h e I n t e r n e t , t h e y r e q u i r e a w e b s e r v e r .

T h e s e w e b s e r v e r s p r o v e t o b e a h i g h d a ta v a lu e t a r g e t f o r a t t a c k e r s . T h e

a t t a c k e r u s u a l l y e x p lo i t s d i e W W W s e r v e r r u n n i n g I I S a n d g a in s c o m m a n d l i n e

a c c e s s t o t h e s y s te m . O n c e a c o n n e c t i o n h a s b e e n e s t a b l i s h e d , t h e a t t a c k e r

u p lo a d s a p r e c o m p i l e d v e r s io n o f t h e H T T P t u n n e l s e r v e r ( l i t s ) . W i t h t h e l i t s

s e r v e r s e t u p t h e a t t a c k e r t h e n s ta r t s a c l i e n t 0 11 h i s o r h e r s y s t e m a n d d i r e c t s i t s

t r a f f i c t o t h e S R C p o r t o f t h e s y s t e m r u n n i n g t h e l i t s s e r v e r . T h i s l i t s p r o c e s s

l i s t e n s 0 11 p o r t 8 0 o f t h e h o s t W W W a n d r e d i r e c t s t r a f f i c . T h e l i t s p r o c e s s

c a p t u r e s t h e t r a f f i c i n H T T P h e a d e r s a n d f o r w a r d s i t t o t h e W W W s e r v e r p o r t

8 0 , a f t e r w h i c h t h e a t t a c k e r t r ie s t o l o g i n t o t h e s y s t e m ; o n c e a c c e s s is g a in e d h e

o r s h e s e ts u p a d d i t i o n a l t o o l s t o f u r t h e r e x p l o i t t h e n e t w o r k .

M e g a P in g s e c u r i t y s c a n n e r c h e c k s y o u r n e t w o r k f o r p o t e n t i a l v u l n e r a b i l i t i e s t h a t

m i g h t b e u s e d t o a t t a c k y o u r n e t w o r k , a n d s a v e s i n f o r m a t i o n i n s e c u r i t y r e p o r t s .

111 t h i s l a b y o u w i l l l e a r n t o u s e M e g a P in g t o c h e c k f o r v u l n e r a b i l i t i e s a n d

t r o u b l e s h o o t is s u e s .


T h i s l a b g iv e s a n i n s i g h t i n t o p i n g i n g t o a d e s t i n a t i o n a d d r e s s l i s t . I t t e a c h e s

h o w t o :

■ P i n g a d e s t i n a t i o n a d d r e s s l i s t

■ T r a c e r o u t e

■ P e r f o r m N e t B I O S s c a n n in g

/ / V a lu a b le

in f o r m a t io n

s T e s t y o u r

k n o w le d g e

W e b e x e rc is e

m W o r k b o o k r e v ie w






■ M e g a P in g is l o c a t e d a t D:\CEH-Tools\CEHv8 Module 03 Scanning N etw orks\S cann ing Tools\M egaPing

■ Y o u c a n a ls o d o w n l o a d t h e la t e s t v e r s io n o f M egaping f r o m t h e l i n k

h t t p : / / w w w . m a g n e t o s o f t . c o m /

■ I f y o u d e c id e t o d o w n l o a d t h e la te s t vers ion , t h e n s c r e e n s h o t s s h o w n

i n t h e l a b m i g h t d i f f e r

■ A d m i n i s t r a t i v e p r i v i l e g e s t o r u n t o o l s

■ TCP/IP s e t t in g s c o r r e c d y c o n f i g u r e d a n d a n a c c e s s ib le D N S s e r v e r

■ T h i s l a b w i l l w o r k i n t h e C E H la b e n v i r o n m e n t , o n W indow s Server 2012, W indow s 2008, a n d W indow s 7



C D Tools dem onstrated in th is lab are available in D:\CEH• Tools\CEHv8 Module 03 Scanning Networks

P IN G stands fo r P a c k e t In te rn e t G ro p e r.

O v e r v i e w o f P i n g

T h e p i n g c o m m a n d s e n d s In ternet Control Message Protocol (ICMP) e c h o r e q u e s t

p a c k e ts t o d ie ta r g e t h o s t a n d w a i t s f o r a n ICMP response. D u r i n g d i i s r e q u e s t -

r e s p o n s e p r o c e s s , p i n g m e a s u re s d ie t im e f r o m t r a n s m is s io n t o r e c e p t io n , k n o w n as

d ie round-trip tim e, a n d r e c o r d s a n y lo s s p a c k e ts .

L a b T a s k s

1 . L a u n c h t h e S ta rt m e n u b y h o v e r i n g d i e m o u s e c u r s o r o n t h e l o w e r - l e f t


T A S K 1

IP Scanning

F IG U R E 13.1: W in d o w s Server 2012 - D esk to p v iew

2 . C l i c k d ie MegaPing a p p t o o p e n d ie MegaPing w in d o w .



http://www.magnetosoft.com/


F IG U R E 15.2: W in d o w s Se rve r 2012 - A p p s

TQi^MegaPing ma!1^ n n d o w ^ ^ h o ^ M 1^ h ^ b l l o \ n n ^ gu־1 1^ ^ ^55 MegaPing (Unregistered) - □ ' x ד

3 .

File View Tools Hdp

*DNSLidrtosfe &י־ DNS Lookup Name Q Fngcr 1S Network Time gg Ping gg Traceroute

Who 11 ^ Network R#toufc#t <<•> Process Info

Systam Info £ IP Scanner $ NetBIOS Scanner •'4? Share Scanner ^ Security Scanner

-J? Port Scanner Jit Host Monitor

*S Lbt Ho>ts

F ig u re 15.3: M e g a P in g m a in w in d o w s

4 . S e le c t a n y o n e o f d i e op tions f r o m d i e l e f t p a n e o f d i e w i n d o w .

5 . S e le c t IP scanner, a n d t y p e i n t h e IP range i n d i e From a n d To f i e l d ; i n

t h i s la b t h e I P r a n g e is f r o m 1 0 .0 .0 .1 t o 10.0.0.254. C l i c k S ta rt

6 . Y o u c a n s e le c t t h e IP range d e p e n d in g o n y o u r n e t w o r k .

CQ A ll Scan n e rs can scan in d iv id u a l co m p u te rs, an y ran g e o f I P addresses, d o m a in s, an d se lected typ e o f co m p u te rs in s id e d o m ain s

S e cu rity scan n er p ro v id e s th e fo llo w in g in fo rm a tio n :N e tB IO S n am es, C o n fig u ra tio n in fo , o p en T C P and U D P p o rts , T ra n sp o rts , Sh ares, U se rs , G ro u p s , S e rv ice s , D r iv e rs , L o c a l D riv e s , Se ssio n s, R e m o te T im e o f D a te , P rin te rs




־ ° rMegaPing (Unregistered)f s rFile V«׳*/ Took Help

^ ^ <׳3 v ^ eg< DNS List Hosts r ^ —_ r « a P -1 'S W W

IP Sconncr SKtngjt I3 Scanner

Selectiraccroutc

^ Whois I “ I | 10 0 0 1 10 0 0 254 | 1 S M 1

Network Resources ► Scam•׳׳

^ ״ ! ״ UX . I WU* t DNS Lookup Name

^ FingerNetwork Time

8a8 Ping

<§> Process Info ^ System Info■*iiaui.111■ £ NetBIOS Scanner Y* Share Scanner

j & Security Scanncr ^ Port Scanner ^ Host Monitor

F IG U R E 15.4: M e g a P in g I P S can n in g

I t w i l l l i s t d o w n a l l t h e IP addresses u n d e r d i a t r a n g e w i t h t h e i r TTL ( T im e t o L i v e ) , S ta tus ( d e a d o r a l i v e ) , a n d d i e s ta t is t ic s o f t h e d e a d

a n d a l i v e h o s t s .

MegaPing (Unregistered)

IP5i«nnw

$ IP Scanner SatngeX IP Scanner

Setect.

|R5rg־» 10 . 0 0 . 1 10 0 0 254 I StartF S ca re

□ o— l —Status: ZoTDCTCC 25^ accroco33 m 1 5 8CCS3

Show MAC Addresses

Hosts Stats To!d. 254 Active 4

Faicd: 250

Rcpon

A ttest Name Tme TTL Statj*.=1 10.0.0.1 0 54 Afivcg 1a0.04 1 128 Akvtg iao.o.6 0 128 Aive£ 1ao.o.7 0 128 Afcve

£ 1a0.0.10 D e l -j q 10.0.0.100 Dest..^ 1CL0.0.I0I D « t -

10.0.0.102 Dest —£ ic lo.o.io j De«t._j l 10.0.0.1m Dest —g 1a0.0.105 Dest._

Pie View Tools Help

1 1 g ft A <>i , DN: List Hosts,p, DNS Lookup Name Q Finger a Network Time

i t PingTraceroute HVhols

1“ 5 Network Resources % rocess Info ^ System Info

NetBIOS Scanner y* Share Scanner

$ Security Sconner l. Jj? Port Scanner

JSi Host Monitor

F IG U R E 15.5: M e g a P in g I P S can n in g R e p o rt

8 . S e le c t t h e NetBIOS S canner f r o m t h e l e f t p a n e a n d t y p e i n t h e I P r a n g e

i n t h e From a n d To f i e ld s . 111 t h i s la b , t h e IP range is f r o m 10.0.0.1 t o

10.0.0.254 C l i c k S ta rt

CD N e tw o rk u t ilit ie s :D N S lis t h o st, D N S lo o k u p n am e, N e tw o rk T im e S y n ch ro n i2 e r, P in g , T ra c e ro u te , W h o is , an d F in g e r.

S T A S K 2

NetBIOSScanning




T IP If/egaPing (Unregistered)WFile View Tools Hdp

rP- A

N cGCS SsonrcrJ* | DNS List Hosts ,5, DNS Lookup Name g Finger 3 Network Time

tS P1n9 Traceroute

«£ WholsNetwork Resource

<$> Process Info System Info

^ IP Scanncr i! \

Share Scanner ^ Security Scanner ^ Port Scanner

Host Monitor

NetBIOS Scanner

F IG U R E 15.6: M e g a P in g N e tB IO S Scan n in g

9 . T h e NetBIOS s c a n w i l l l i s t a l l t h e h o s t s w i t h t h e i r NetBIOS names a n d

adap te r addresses

MegaPing (Unregistered)M e VtfA Tori? Help

JL JL 4S & *“8 88 &K«BIT$ Scarrer&

Men BIOS Scarrra^ Net 90$ Scanrer

Stop10 0 . 0 .254

Expard י1NamesExpandSummary

] | 10 . 0 . 0 . 1 ||Rerg5

NstEtOS ScanneraJatLS־ Zoroeec Quemg Net BOS Names on

Sots

Told. 131Actvc 3=a!od 123

Report

Name STctus100.0.4 WIN-ULY833KHQ.. A l*«

» 2 ) NetBIOS Names 3W g f Adopter Address 00 15-5D 00-07 . . Microsoft ״A □cmam WORKGROUPiac.0.6 ADMIN• PC Alivefr] NetBIOS Nome: 6

W B Adapter Addre« ״ M<T0?cfr ..־00-15-50-00-074^ Domain WORKGROUP100.0.7 WIN-D39MRSHL.. A lv#

» j | ] NetBIOS Names 3X f Adapter Address D4-BE-D9-C3-CE..

JJ, DNS List Hosts j!L DNS Lookup Nam• Q Finger !31 Network Time t i p,n9g*3 Traceroute ^ Whole

- O Network Resources % Process Info

J״״ ^ System Info ^ IP Scanner$ m g g n n 14jp Share Scanner

Security Scanner y״/ Port Scanner 2 ( Host Munitur

NetBIOS Scanner

F IG U R E 15.7: M e g a P in g N e tB IO S S can n in g R e p o rt

1 0 . R i g h t - c l i c k t h e I P a d d r e s s . 111 t h i s l a b , t h e s e le c t e d I P is 1 0 .0 .0 . 4 ; i t w i l l

b e d i f f e r e n t i n y o u r n e t w o r k .

1 1 . T h e n , r i g h t - c l i c k a n d s e le c t t h e Trace rou te o p t i o n .

ס MegaPing can scan your entire ne tw ork and provideinform ation such as open shared resources, open ports,services/drivers ac tive on the com puter, key reg istry entries, users and groups, trusted domains, printers, and more.

& Scan results ־can be saved in HTML or TXT reports, w hich can be used to secure your ne tw ork ■־ fo r example, by shutting down unnecessary ports, closing shares, etc.

5 T A s K 3

Traceroute




I I MMegaPing (Unregistered)vFile View Tools Hdp

NetBICS Scarre־

NetBIOS Scanner S9<tngs

Start0 254

NamesDcpandSummary

$ M *30S Scarner

Soeci: Rom:

Range v | 10 0 0

NetElOS SeinerSatus Carotored ?M addresses m M secs

* b3?׳ 0 ( jjNome

Hoete Slate Total: 254 Active 3 Failed251 ־

Export To File

Merge Hosts

Open Share View Hotfix Detab

Apply Hot Fixes

Copy selected item Copy selected row Copy all result; Save As

_______B 0 B ■

* D NetBIOS f■ AdapeerA

A Comain - j j 10.0.0.5

i - J | NetBIOSS ? Adopter A ^ Com a in

B A 10.0.0.7£ NetBIGS ף

■3 Adopter A

Traceroute

^ DNS List Hosts ; j , DNS Lookup Name g Finger 3 Network Time

t®* Pin9 A Traceroute 4 $ Whois

Network Resources Process Info

^ System Info ־• IP Scanner J׳ ^ NetBIOS Scanner

Share Scanner Security Scanner

^ Port Scanner g l Host Monitor

Tnccroutcs the selection

F IG U R E 15.8: M e g a P in g T ra ce ro u te

1 2 . I t w i l l o p e n t h e Trace rou te w i n d o w , a n d w i l l t r a c e d i e I P a d d r e s s

s e le c te d .

MegaPing (Unregistered)Fie Vie■ a Tools Help

S. JL 4$ 151 *« 88Tracer out*

aa Traceroute Setthot**

□ Select Al

□ Resolve I4an־sDestrebon:1050.4Ztestrawn \Jdrcs5 Jst

Add

Ddctc

Repoit |

hoo Time Name Dstafc

9 <91 י WIN-ULY8S8KHUIP [1_ Complete.

1 m £ 1 0 10.0.0.4 <»73/1210t44tf

A ־ ' ADMIN PC [10.0.0.6] Complete.

* 4 1 ו 10.0.0.6 08/23/12 IQ4SJ1

Jj, DNS List Ho>b J!L DNS Lookup Nam• | J Finger i l l Network Time

^ Whois- O Network Resources

Process Info System Info

■ ^ IP ScannerNetBIOS Scanner

*jp Share Scannei Security Scanner

y<׳ Port Scanner jtA Ho»t Monitor

F IG U R E 15.9: M e g a P in g T ra c e ro u te R e p o rt

1 3 . S e le c t P o r t S c a n n e r f r o m d i e l e f t p a n e a n d a d d

w w w .ce rtif ie d h a cke r.co m 111 t h e D estina tion Address L is t a n d t h e n

c l i c k t h e S ta rt b u t t o n .

1 4 . A f t e r c l i c k i n g t h e S ta rt b u t t o n i t t o g g le s t o Stop

1 5 . I t w i l l l i s t s t h e p o r t s a s s o c ia t e d w i t h w w w . c e r t i f i e d l 1 a c k e r . c o m w i t h d i e

k e y w o r d , r i s k , a n d p o r t n u m b e r .

ם O th e r fea tu res in c lu d e m u ltith re ad e d d esig n th a t a llo w s to p ro cess an y n u m b er o f req u ests in an y to o l a t th e sam e tim e , real- tim e n e tw o rk co n n ec tio n s sta tu s and p ro to co ls s ta tis tics , real- tim e p ro cess in fo rm a tio n and usage, rea l- tim e n e tw o rk in fo rm a tio n , in c lu d in g n e tw o rk co n n ec tio n s , and o p e n n e tw o rk file s , system tra y su p p o rt, an d m o re

& Tools dem onstrated in th is lab are available in D:\CEH- Tools\CEHv8 Module 03 Scanning Networks

S T A s K 4

Port Scanning




http://www.certifiedl1acker.com


ך v ן - י ״ MegaPing (Unregistered)זFile View Tools Help

A A £ G J 8s 8s <5 J ' b & r H I J & GO

J׳!jftjf F01 Sc*1r*׳^ AotScamcr

PrttowlB TCP an: UCPm m n׳>«־׳fl׳V**tv30«־> Scan Type A/!h»1»S Pab -11 S100Desindo Ai^nt Ua>

□ S*t*d Al

w»!* |

2 o r * T>oe Keyword De8a1ctor R *= S Scanning— (51 %)

3 Ce2 fc 99 Sccon ds Remain ח gTCP ftp File T ransfer [Control] EksatcdTCP www-http World V.'1de Web HTTP Elevated

,y 1 UDP tcpmux TCP Port Servkc MultL. Ele.xed.* 2 JOP compress.. Management Utility L<*m. y ! UDP comp ten . CompreiMoo Proem Law.*5 JOP rje Remote Job Entr>׳ Low

JOP echo Echo Lowj * UOP ditcntd Discard Law

' ■

- jj, DNS List Hosts,5, DNS Lookup Name ^ Finger54 Network Time f t Ping gg Traceroute ^ Whois

Network Resources- P ick m Info

System Into U IP Sc«nn«<

' f f NetBIOS Sc *nnei Share Seanner

4P S«cjntyScanner JjfJ f ) , H 05ז Monitor

F IG U R E 15.10: M e g a P iiig P o r t S ca n n in g R e p o rt


D o c u m e n t a l l d i e I P a d d re s s e s , o p e n p o r t s a n d r u n n i n g a p p l ic a t io n s , a n d p r o t o c o ls



M e g a P i n g

I P S c a n R a n g e : 1 0 .0 .0 .1 — 1 0 .0 .0 . 2 5 4

P e r f o r m e d A c t i o n s :

■ I P S c a n n in g

■ N e t B I O S S c a n n in g

■ T r a c e r o u t e

■ P o r t S c a n n in g

R e s u l t :

■ L i s t o f A c t i v e H o s t

■ N e t B i o s N a m e

■ A d a p t e r N a m e

M e g a P in g se cu rity scan n er ch eck s yo u r n e tw o rk fo r p o te n tia l vu ln e ra b ilitie s th a t m ig h t use to a ttack y o u r n e tw o rk , an d saves in fo rm a tio n in se cu rity re p o rts






Q u e s t i o n s

1. H o w d o e s M e g a P in g d e te c t s e c u r i t y v u ln e r a b i l i t i e s o n d ie n e t w o r k ?

2 . E x a m in e t h e r e p o r t g e n e r a t io n o f M e g a P in g .


0 N oe s□ Y


0 i L a b s0 C l a s s r o o m




Lab

D etect, D elete an d B lock G oogle C ookies U sing G -ZapperG-Zapper is a utility to block Goog/e cookies, dean Google cookies, and help yon stay anonymous while searching online.


Y o u h a v e l e a r n e d i n d i e p r e v i o u s la b d i a t M e g a P in g s e c u r i t y s c a n n e r c h e c k s

y o u r n e t w o r k f o r p o t e n t i a l v u l n e r a b i l i t i e s t h a t m i g h t b e u s e d t o a t t a c k y o u r

n e t w o r k , a n d s a v e s i n f o r m a t i o n i n s e c u r i t y r e p o r t s . I t p r o v i d e s d e t a i le d

i n f o r m a t i o n a b o u t a l l c o m p u t e r s a n d n e t w o r k a p p l ia n c e s . I t s c a n s y o u r e n t i r e

n e t w o r k a n d p r o v i d e s i n f o r m a t i o n s u c h a s o p e n s h a r e d r e s o u r c e s , o p e n p o r t s ,

s e r v ic e s / d r i v e r s a c t i v e 0 11 t h e c o m p u t e r , k e y r e g i s t r y e n t r ie s , u s e r s a n d g r o u p s ,

t r u s t e d d o m a in s , p r i n t e r s , e t c . S c a n r e s u l t s c a n b e s a v e d i n H T M L o r T X T

r e p o r t s , w h i c h c a n b e u s e d t o s e c u r e y o u r n e t w o r k .

A s a n a d m i n i s t r a t o r , y o u c a n o r g a n iz e s a f e t y m e a s u r e s b y s h u t t i n g d o w n

u n n e c e s s a r y p o r t s , c l o s i n g s h a r e s , e t c . t o b l o c k a t t a c k e r s f r o m i n t r u d i n g t h e

n e t w o r k . A s a n o t h e r a s p e c t o f p r e v e n t i o n y o u c a n u s e G - Z a p p e r , w h i c h b lo c k s

G o o g le c o o k ie s , c le a n s G o o g l e c o o k ie s , a n d h e lp s y o u s ta y a n o n y m o u s w h i l e

s e a r c h in g o n l i n e . T h i s w a y y o u c a n p r o t e c t y o u r i d e n t i t y a n d s e a r c h h i s t o r y .


T h i s l a b e x p la i n h o w G - Z a p p e r a u t o m a t i c a l l y d e te c ts a n d c leans t h e G o o g le

c o o k ie e a c h t i m e y o u u s e y o u r w e b b r o w s e r .



I C O N K E Y

V a lu a b le

in f o r m a t io n

T e s t y o u r

k n o w le d g e

m . W e b e x e rc is e

o W o r k b o o k r e v ie w




G - Z a p p e r is l o c a t e d a t D:\CEH-Tools\CEHv8 Module 03 Scanning N etw orks\Anonym izers\G -Zapper

Y o u c a n a ls o d o w n l o a d d i e la t e s t v e r s io n o f G־Zapper f r o m t h e l i n k

l i t t p : / / w w w . d u m m y s o f t w a r e . c o m /

I f y o u d e c id e t o d o w n l o a d t h e la te s t vers ion , t h e n s c r e e n s h o t s s h o w n

i n t h e la b m i g h t d i f f e r

I n s t a l l G-Zapper i n W i n d o w s S e r v e r 2 0 1 2 b y f o l l o w i n g w i z a r d d r i v e n

i n s t a l l a t i o n s te p s

A d m i n i s t r a t i v e p r i v i l e g e s t o r u n t o o l s

A c o m p u t e r r u n n i n g W indow s Server 2012



O v e r v i e w o f G - Z a p p e r

G - Z a p p e r h e lp s p r o t e c t y o u r i d e n t i t y a n d s e a r c h h is t o r y . G - Z a p p e r w i l l r e a d d ie

Google cookie in s t a l le d o n y o u r P C , d is p la y d ie d a te i t w a s in s ta l le d , d e t e r m in e h o w

lo n g y o u r searches h a v e b e e n tracked, a n d disp lay y o u r G o o g le s e a rc h e s . G -

Z a p p e r a l lo w s y o u t o a u t o m a t ic a l l y delete o r e n t i r e l y block d ie G o o g le s e a rc h

c o o k ie f r o m f u t u r e in s ta l la t io n .

L a b T a s k s

S t a s k 1 1 . L a u n c h t h e S ta rt m e n u b y h o v e r i n g d i e m o u s e c u r s o r o n t h e l o w e r - l e f t

D etect & Delete c o m e r o f t h e d e s k t o p . _____________________________________________________

Google Cookies

F IG U R E 16.1: W in d o w s Server 2012 - D eskto p v iew

2 . C l i c k d ie G-Zapper a p p t o o p e n d ie G־Zapper w in d o w .

!3 Windows Serve! 2012

* ttcua Stfwr JOtJ Release Cmadtte Oatacert* ftabslanuwy. 1uMM>:

S ’ Tools dem onstrated in th is lab are available in D:\CEH- Tools\CEHv8 Module 03 Scanning Networks




Administrator £

G-Zapper

S t a r t

ServerManager

WruiowsPowerShel

6009*Chrome

Wjpw-Vt/druê-

Ancrym..SurfogTutonal

fLm V # 11 □Computer Control

P w lHyperVVirtualM«tww

SOL Sena

* J w QCommandPrompt

M v i il.retox

'-x-olglan n $ 51NetSca'iT... Pro Demo Standard

Maw r* 11

F IG U R E 162: W in d o w s Se rve r 2012 - A p p s

3 . T h e G-Zapper m a in w i n d o w w i l l a p p e a r a s s h o w n i n t h e f o l l o w i n g

s c r e e n s h o t .

G-Zapper ־ TRIAL VERSION

W hat is G -Zapper

G-Zapper - Protecting yo u Search Privacy

Did you know • Google stores a unique identifier in a cookie on your PC , vrfich alow s them to track the keywords you search for G-Zapper w i automatically detect and clean this cookie in your web browser. Ju st run G-Zapper, mrwnee the wndow , and en!oy your enhanced search privacy

2 ' I A Google Tracking ID oasts on your PC.Your Google ID (Chrome) 6b4b4d9fe5c60cc1Google nsta led the cookie on W ednesday. September 05.2012 01 54 46 AM

Your searches have been tracked for 13 hours

«>| No Google searches found n Internet Explorer or Frefox

How to Use It

« To delete the Google cookie, d c k the Delete Cookie buttonYour identity w i be obscured from previous searches and G-Zapper w i reg Jarly dean future cookies.

T0 restore the Google search cookie d ick the Restore Cookie button

htto //www dummvsof twar e. com

RegisterSettingsTest GoogleRestore CookieDelete Cookie

F IG U R E 16.3: G - Z a p p e r m a in w in d o w s

4 . T o d e le t e t h e G o o g le s e a r c h c o o k ie s , c l i c k t h e Delete Cookie b u t t o n ; a

w i n d o w w i l l a p p e a r t h a t g iv e s i n f o r m a t i o n a b o u t t h e d e le t e d c o o k ie

l o c a t io n . C l i c k OK

m G - Z a p p e r xs co m p a tib le w ith W in d o w s 9 5 ,9 8 , M E , N T , 2000, X P , V is ta , W in d o w s 7.

L J G - Z a p p e r h e lp s p ro te c t y o u r id e n tity an d search h is to ry . G - Z a p p e r w ill read th e G o o g le co o k ie in s ta lle d o n yo u r P C , d isp la y th e d a te it w as in s ta lle d , d e te rm in e h o w lo n g yo u r search es h ave b een tra cked , an d d isp la y yo u r G o o g le searches



■ ]j l F x יי G-Zapper - TRIAL VERSION


W hat is G-Zapper

G-Zapper ־ Protectng your Search Privacy

Did you know ■ Google stores a unique identifier n a cookie on yo u PC , v*»ch alow s them 10 track the keywords you search for G-Zapper w i automatically defect and dean this cookie in your web browser.

_.lm tJun_G 7annftj the, wndnw * in i ftninu.unui nhaocad joauacu_______ _______

G־Zapper

The Google search cookie was removed and will be re-created with a new ID upon visiting www.google.com

The cookie was located a t(Firefox) C:\Users\Administrator\ApplicationData\Mozilla\Firefox\Profiles\5vcc40ns.default\cookies.sqlite

©

OK

T0 block and delete the Google search cookie, click the Block Cookie button (Gmail and Adsense w i be unavaJable with the cookie blocked)

http //www. dummvsoftware com

■#

Howt

RegisterSettingsTest GoogleBlock CookieDelete Cookie

C ] A n e w co o k ie w ill be gen erated u p o n yo u r nex t v is it to G o o g le , b reak in g th e ch a in th a t re la te s yo u r searches.

F IG U R E 16.4: D e le tin g search co o k ies

5 . T o b l o c k t h e G o o g l e s e a r c h c o o k ie , c l i c k d i e B lock cook ie b u t t o n . A

w i n d o w w i l l a p p e a r a s k in g i f y o u w a n t t o m a n u a l l y b l o c k t h e G o o g le

c o o k ie . C l i c k Yes

'- mG־Zapper ■ TRIAL VERSION

W hat is G -Zapper

G-Zapper - Protectng yo u Search Privacy

Did you know - Google stores a unique identifier in a cookie on your PC . which alow s them to track the keywords you search for. G-Zapper will automatically detect and dean this cookie in yo u web browser.

p____.LM iijn fi-Zan rre t mrnnnre the, wnrinw and pjiinu .unu..ftnhanrari sftatnh nrtvara________________

Manually Blocking the Google Cookie

Gmail and other Google services will be unavailable while the cookie is manually blocked.If you use these services, we recommend not blocking the cookie and instead allow G-Zapper to regularly clean the cookie automatically.

Are you sure you wish to manually block the Google cookie?

N oYes

How

T0 block and delete the Google search cookie, click the Block Cookie bUton (Gmail and Adsense w l be unavaiaW e with the cookie blocked)

http //www dummvsoftware, com

RegisterSettingsTest GoogleBlock CookieDelete Cookie

F IG U R E 16.5: B lo c k G o o g le co o k ie

6. I t w i l l s h o w a m e s s a g e d i a t t h e G o o g le c o o k ie h a s b e e n b lo c k e d . T o

v e r i f y , c l i c k OK

The tin ס y tray icon runs in the background, takes up very lit t le space and can no tify you by sound & anim ate when the Google cookie is blocked.

Eth ica l Hacking and Countermeasures Copyright O by EC-CoundlA ll Rights Reserved. Reproduction is Strictly Prohibited


http://www.google.com


G־Zapper - TRIAL VERSION

W hat is G-Zapper

G-Zappef - Protechng your Search Privacy

Did you know ■ Google stores a unique kfentifiet in a cookie on your PC . which alow s them to track the 1 ^ 0 keywords you search for G-Zapper will automatically detect and dean this cookie n yo u web browser.

Ju st run G-Zapper, mmmize the w rxlow , and enjoy your enhanced search privacy

G־Zapper

The Google cookie has been blocked. You may now search anonymously on google.com. Click the Test Google button to verify.

OK

Your identity will be obscured from previous searches and G-Zapper w i regularly clean M ure cookies

T 0 restore the Google search cookie c lck the Restore Cookie button

http //www dummvsoltware com

How t

RegisterSettingsTest GoogleRestore CookieDelete Cookie

F IG U R E 16.6: B lo c k G o o g le co o k ie (2 )

7 . T o t e s t t h e G o o g l e c o o k ie t h a t h a s b e e n b l o c k e d , c l i c k t h e T est Google b u t t o n .

8. Y o i u d e f a u l t w e b b r o w s e r w i l l n o w o p e n t o G o o g l e ’ s P r e f e r e n c e s p a g e .

C l i c k OK.

A A goog... P - 2 (5 [ 0 ?references ו י-

♦You Search Images Maps Play YouTube News Gmal More ־ Sign in 1

Goflflls Account 5£tt303 Piefeiences Help I About Google

Save Preferences

PreferencesGoogleSave your preference* when finished and !*turn to iw rch

Global Preferences (changoc apply to al Googio sorvtcos)

Your cookies seem fo be disabled.Setting preferences will not work until you enable cookies in your

browser.BaHiflafcfllttg

Interface Language Display Googio Tips and messages in: EngiisnIf you do not find your native language in the pulldown above you can help Google create it through our Google in Your I anfliiage program

Piefei pages mitten in the*e language(*)□ Afrikaans b£ English U Indonesian L I Setblan□ Arabic L. Esperanto U Italian □ SlovakD Armenian I~ Estonian F I Japanese 0 Slovenian□ Belarusian C Ftipino □ Koiean G SpanishU Bulgarian L Finnish U Latvian L I Swahi

Search I anguag*

F IG U R E 16.7: C o o k ie s d isab led m assage

9 . T o v i e w t h e d e le t e d c o o k ie i n f o r m a t i o n , c l i c k d i e S etting b u t t o n , a n d

c l i c k V ie w Log i n t h e c le a n e d c o o k ie s l o g .

& G-Zapper can ־also clean your Google search h isto ry in Internet Explorer and Mozilla Firefox.It's fa r too easy fo r someone using your PC to get a glim pse o f w hat you've been searching for.




׳ - mG-Zapper - TRIAL VERSION

W hat is G -Zapper

G-Zapper Settings

Sounds

Preview Browsef* R ay sound effect when a cookie is deleted default w av

Google Analytics T iackrtg

W Block Google Analytics fiom tiackng web sites that I visit.

V iew Log

D eaned Cookies Log

Clear LogW Enable logging of cookies that have recently been cleaned.

I ” Save my Google ID in the deaned cookies log.

OK

RegisterSettingsRestore Cookie Test GoogleDelete Cookie

Q Y o u can s im p ly ru n G - Z a p p e r, m in im iz e th e

w in d o w , an d e n jo y yo u r e n h an ced search p riv a c y

F IG U R E 16.8: V ie w in g th e d e le ted log s

1 0 . T h e d e le t e d c o o k ie s i n f o r m a t i o n o p e n s i n N o t e p a d .

cookiescleaned - Notepad t ־־ ] ם xFile Edit Format View Help

(Firefox) C:\Users\Administrator\Application Data\Mozilla\Firefox \Profiles\5vcc40ns.default\cookies.sqlite Friday, August 31, 2012 10:42:13 AM(Chrome) C:\Users\Administrator\AppData\Local\Google\Chrome\User Data \Default\Cookies Friday, August 31, 2012 11:04:20 AM (Firefox) C:\Users\Administrator\Application Data\Mozilla\Firefox \Profiles\5vcc40ns.default\cookies.sqlite Friday, August 31, 2012 11:06:23 AM(Firefox) C:\Users\Administrator\Application Data\Mozilla\Firefox \Profiles\5vcc40ns.default\cookies.sqlite Wednesday, September 05, 2012 02:52:38 PM|

S ' Tools dem onstrated in th is lab are available in D:\CEH- Tools\CEHv8 Module 03 Scanning Networks

F IG U R E 16.9: D e le te d log s R e p o rt


D o c u m e n t a l l t h e I P a d d re s s e s , o p e n p o r t s a n d r u n n in g a p p l ic a t io n s , a n d p r o t o c o ls






G ־ Z a p p e r

A c t i o n P e r f o r m e d :

■ D e t e c t d i e c o o k ie s

■ D e l e t e t h e c o o k ie s

■ B l o c k t h e c o o k ie s

R e s u l t : D e l e t e d c o o k ie s a r e s t o r e d i n

C : \ U s e r s \ A d m i n i s t r a t o r \ A p p l i c a t i o n D a t a



Q u e s t i o n s

1. E x a m in e h o w G - Z a p p e r a u t o m a t ic a l l y c le a n s G o o g le c o o k ie s .

2 . C h e c k t o see i f G - z a p p e i is b lo c k in g c o o k ie s o n s ite s o t h e r t h a n G o o g le .


e s0 Y


0 C l a s s r o o m

□ N o

□ iL a b s




Lab

Scanning th e N etw ork Using th e C olasoft P acket BuilderThe Colasoft Packet Builder is a useful tool for creating custom netirork packets.


11 1 d i e p r e v io u s la b y o u h a v e le a r n e d l i o w y o u c a n d e te c t , d e le te , a n d b l o c k c o o k ie s .

A t t a c k e r s e x p lo i t d ie X S S v u ln e r a b i l i t y , w h i c h in v o lv e s a n a t t a c k e r p u s h in g

m a l ic io u s J a v a S c r ip t c o d e i n t o a w e b a p p l ic a t io n . W h e n a n o d ie r u s e r v is i t s a p a g e

w i d i d i a t m a l ic io u s c o d e i n i t , d ie u s e r ’ s b r o w s e r w i l l e x e c u te d ie c o d e . T h e b r o w s e r

l ia s 110 w a y o f t e l l i n g th e d i f f e r e n c e b e tw e e n le g i t im a t e a n d m a l ic io u s c o d e . I n je c t e d

c o d e is a n o d ie r m e c h a n is m d i a t a n a t t a c k e r c a n u s e f o r s e s s io n h i ja c k in g : b y d e f a u l t

c o o k ie s s t o r e d b y th e b r o w s e r c a n b e r e a d b y J a v a S c r ip t c o d e . T h e in je c t e d c o d e c a n

r e a d a u s e r ’ s c o o k ie s a n d t r a n s m i t d io s e c o o k ie s t o d ie a t t a c k e r .

A s a n e x p e r t eth ica l hacker a n d penetration te s te r y o u s h o u ld b e a b le t o p r e v e n t

s u c h a t t a c k s b y v a l id a t in g a l l h e a d e r s , c o o k ie s , q u e r y s t r in g s , f o r m f ie ld s , a n d h id d e n

f ie ld s , e n c o d in g i n p u t a n d o u t p u t a n d f i l t e r m e ta c h a r a c te r s i n t h e i n p u t a n d u s in g a

w e b a p p l i c a t io n f i r e w a l l t o b l o c k t h e e x e c u t io n o f m a l ic io u s s c r ip t .

A n o d i e r m e t h o d o f v u ln e r a b i l i t y c h e c k in g is t o s c a n a n e t w o r k u s in g th e C o la s o f t

P a c k e t B u i ld e r . 111 t h is la b , y o u w i l l b e le a r n a b o u t s n i f f i n g n e t w o r k p a c k e ts ,

p e r f o r m in g A R P p o is o n in g , s p o o f i n g t h e n e t w o r k , a n d D N S p o is o n in g .


T h e o b je c t i v e o f d i i s la b is t o r e in f o r c e c o n c e p t s o f n e t w o r k s e c u r i t y p o l i c y , p o l i c y

e n f o r c e m e n t , a n d p o l i c y a u d its .


11 1 d i i s la b , y o u n e e d :

■ C o la s o f t P a c k e t B u i l d e r lo c a t e d a t D:\CEH-Tools\CEHv8 Module 03 Scanning Networks\Custom Packet Creator\Colasoft Packet Builder

■ A c o m p u t e r r u n n i n g W indows Server 2012 as h o s t m a c h in e

I C O N K E Y

V a lu a b le

in f o r m a t io n

T e s t y o u r

k n o w le d g e

Q W e b e x e rc is e


^TToo ls dem onstrated in th is lab are available in D:\CEH- Tools\CEHv8 Module 03 Scanning Networks




■ W indow 8 r u n n i n g o n v i r t u a l m a c h in e as ta r g e t m a c h in e

■ Y o u c a n a ls o d o w n lo a d d i e la te s t v e r s io n o f Advanced Colasoft Packet Builder f r o m d ie l i n k

h t t p : / / w w w . c o la s o f t . c o m / d o w n l o a d / p r o d u c t s / d o w n lo a d _ p a c k e t _ b u i l d e r .

p h p

■ I f y o u d e c id e t o d o w n lo a d d ie la tes t version, d ie n s c r e e n s h o ts s h o w n i n

d ie la b m i g h t d i f f e r .

■ A w e b b r o w s e r w i d i I n t e r n e t c o n n e c t i o n n u u i i n g i n h o s t m a c l i i n e



O v e r v i e w o f C o l a s o f t P a c k e t B u i l d e r

Colasoft Packet Builder c re a te s a n d e n a b le s c u s t o m n e t w o r k p a c k e ts . T h i s t o o l c a n

b e u s e d t o v e r i f y n e t w o r k p r o t e c t i o n a g a in s t a t t a c k s a n d in t r u d e r s . C o la s o f t P a c k e t

B u i l d e r fe a tu r e s a d e c o d in g e d i t o r a l l o w in g u s e rs t o e d i t s p e c i f ic p r o t o c o l f i e l d v a lu e s

m u c h e a s ie r .

U s e r s a r e a ls o a b le t o e d i t d e c o d in g i n f o n n a t i o n i n t w o e d i t o r s : Decode Editor a n d

Hex Editor. U s e r s c a n s e le c t a n y o n e o f d i e p r o v id e d te m p la te s : Ethernet Packet, IP Packet, ARP Packet, o r TCP Packet.

L a b T a s k s

1. I n s t a l l a n d l a u n c h d ie Colasoft Packet Builder.

2 . L a u n c h t h e S ta rt m e n u b y h o v e r i n g d i e m o u s e c u r s o r o n t h e l o w e r - l e f t


S t a s k 1

ScanningNetw ork

F IG U R E 17.1: W in d o w s Se rve r 2012 - D esk to p v iew

3 . C l i c k t h e C olaso ft Packe t B u ilde r 1.0 a p p t o o p e n t h e C olasoftQ y <“ Y o u can d o w n lo ad P acker B u ilde r w i n d o wC o la s o ft P a c k e t B u ild e r fro mh ttp : / /w w w . co la so ft. com .



http://www.colasoft.com


AdministratorS t a r t

Sew WindowsPowerSM

GoogteChrome

Cotaoft Pacto?! Bunder t.O

Es m * * *

compule r control1'and Manager

v

Mochn#.

*J V 9 1 9

eCommandPrompt

U3LWv«r Irn-.aljt 0י־ Center.

MfrtjpaC* Studc

te r V 3s- e .

MeuMa r»efax

Nnwp7«ftmapGUI

CMtoo $ o

F IG U R E 17.2 W in d o w s Se rve r 2012 - A p p s

4 . T h e C o la s o f t P a c k e t B u i l d e r m a in w i n d o w a p p e a rs .

Colasoft Packet Builder ־ ־ 1- =1 ך

Fie Edt Send Help !# ^ 1

ImportS ?’ & 1Add Insert

♦Checksum[As J 55

Adapter Colasoft4 $ Oecode Edro*־ Packet No. No pxkec elected: \$ Packet Lilt Packets 0 Selected 0 1

Delta Time Sourer

fatal 0 byte* |

<L

F IG U R E 17.3: C o laso ft Packe t B u ild e r m ain screen

^ He«Edfcor>0:0

5 . B e f o r e s t a r t in g o f y o u r ta s k , c h e c k t h a t d ie Adapter s e t t in g s a re s e t t o

d e f a u l t a n d d i e n c l i c k OK.

O p e ra tin g system req u irem en ts:

W in d o w s S e rv e r 2003 an d 64-bit E d itio n

W in d o w s 2008 an d 64-bit E d itio n

W in d o w s 7 and 64-b it E d itio n

*Select Adapter

Adapter:

D 4 :BE:D 9:C3:CE:2D 0 100.0 l* )p s 1500 bytes10.0.0.7/255.255.255.010.0.0.1 O perational

Physical Address Link Speed Max Fram e Size IP Address Default Gatew ay Adapter Status

HelpCancelOK

F IG U R E 17.4: C o laso ft Packe t B u ild e r A d ap ter settings

Eth ica l Hacking and Countermeasures Copyright <0 by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited



6. T o a d d 0 1 c re a te d ie p a c k e t , c l i c k Add 111 d i e m e n u s e c t io n .

File Edit Send Help

f f 01 Import Export־״־ Add Insert

[ ^ Decode Editor

F IG U R E 17.5: C o laso ft Packe t B u ild e r creating d ie packet

7 . W h e n a n Add Packet d ia lo g b o x p o p s u p , y o u n e e d t o s e le c t d ie t e m p la te

a n d c l i c k OK.

n־ nAdd Packet

ARP Packet

Second0.1

Select Template:

Delta Time:

HelpCancelOK

T h e re are tw o w ays to crea te a p a ck e t - A d d an d In s e rt. T h e d iffe re n ce b e tw een th ese is th e n e w ly ad d ed p ack e t's p o s itio n in th e P a c k e t L is t. T h e n ew p ack e t is lis te d as th e la s t p ack e t in th e lis t i f added b u t a fte r th e cu rre n t p ack e t i f in se rted .

Q c o la s o f t P a c k e t B u ild e r su p p o rts * .c s cp k t (C ap sa 5.x and 6 .x P a c k e t F ile ) a n d * c p f (C ap sa 4.0 P a c k e t F ile ) fo rm a t. Y o u m ay a lso im p o rt data fro m ״ .cap (N e tw o rk A sso c ia te s S n iffe r p ack e t file s ), * .p k t (E th e rP e e k v 7 / T o k e n P e e k / A 1 ro Pe ek v9 / O m n iP e e k v 9 p ack e t file s ), * .d m p (T C P D U M P ), an d * ra w p k t (ra w p ack e t file s ).

F IG U R E 17.6: C o laso ft Packe t B u ild e r A d d Packet d ia log box

8 . Y o u c a n v iew d ie a d d e d p a c k e ts l i s t 0 11 y o u r r i g h t - h a n d s id e o f y o u r

w in d o w .

S t a s k 2

Decode Editor

9 . C o la s o f t P a c k e t B u i l d e r a l lo w s y o u t o e d i t d ie decoding i n f o r m a t i o n i n d ie

t w o e d i t o r s : Decode Editor a n d Hex Editor.

Packet List Packets 1 Selected 1

_______ Usl______ Delta Tims . S o u rc e D e s t in a t io n _______,

1 0.100000 00:00:00:00:00:00

F IG U R E 17.7: C o laso ft Packe t B u ild e r Packet L is t




Decode EditorPacket: Num:000001 Length:64 Captured:•

B-© Ethernet Type I I [0/14]lestination Address: FF:FF:FF:FF:FF:FF [0/6]

J© Source Address: 00:00:00:00:00:00 [6/6]j ! ^ P ro to c o l: 0x0806 (ARP) [12.- sj ARP - Address Resolution Protocol [14/28]

!••••<#> Hardware type: 1 (Ethernet):Protocol Type ץ#( ! 0x0800 [16/2]

j..© Hardware Address Length: 6 [18/1]:Protocol Address Length ©..ן 4 [19/1]

! |—<#1ype: 1 (ARP Reque.\ - J>S0urce Physics: 00:00:00:00:00:00 [22/6]

j3 Source IP ״ : 0.0.0.0 [28/4]Destination Physics: 00:00:00:00:00:00 [32/6]

j Destination IP : 0.0.0.0 [38/4]- •© Extra Data: [42/18]

Number of Bytes: FCS:

18 bytes [42/18]

L # FCS: 0xF577BDD9

■<l— 111 j ...... ; ......,.... ....־ J <״

Q B u s t M o d e O p tio n : I f y o u ch e ck th is o p tio n , C o la s o ft P a c k e t B u ild e r sends p ack e ts o n e a fte r an o th e r w ith o u t in te rm iss io n . I f yo u w a n t to send p ackets a t th e o rig in a l d e lta tim e , d o n o t ch e ck th is o p tio n .

F IG U R E 17.8: C o laso ft Packe t B u ild e r D eco d e E d ito r

^ Hex Editor Total 60 bytes0000 FF FF FF FF FF FF 00 00 00 00 00 00 08 06000E 00 01 08 00 06 04 00 01 00 00 00 00 00 00001C 00 00 00 00 00 00 00 00 00 00 00 00 00 00002A 00 00 00 00 00 00 00 00 00 00 00 00 00 000038 00 00 00 00 . . . .

V

F IG U R E 17.9: C o laso ft Packe t B u ild e r H e x E d ito r

1 0 . T o s e n d a l l p a c k e ts a t o n e t im e , c l i c k Send All f r o m d ie m e n u b a r .

1 1 . C h e c k d ie Burst Mode o p t i o n i n d ie Send All Packets d ia lo g w i n d o w , a n d

d i e n c l i c k Start.

רC o la s o ft C a p saPacket Analyzer

^4Send AllSendChecksumJown

1 Packet List Packets 1 Selected 1No. Delta Time Source Destination

1 0.100000 00:00:00:00:00:00 FF:FF:FF:FF:FF:FF

£ 0 1 O p tio n , L o o p Sen d in g : T h is d e fin e s th e rep eated tim es o f th e sen d in g e x e cu tio n , o n e tim e in d e fa u lt. P le a se e n te r z e ro i f y o u w a n t to keep sen d in g p ack e ts u n til y o u pause o r s to p it m an u ally .

F IG U R E 17.10: C o laso ft Packet B u ild e r Send A ll bu tton




£ 3 S e le c t a p ack e t fro m th e p ack e t lis tin g to ac tiva te S e n d A ll b u tto n

F IG U R E 17.11: C o h so ft Packe t B u ild e r Send A H Packets

1 2 . C l i c k Start

Send All Packets

Select...

loops (zero for in fin ite loop)

m illiseconds

O ptions

A d ap ter: R ea ltek P C Ie G8E Fam rfy Controller

□ Bu rst M ode (no d elay betw een packets)

□ Loop Sen d n g : 1 A-

1000 A-D elay Betw een Loops: 1000

Sending Inform ation

Total Packets: 1

Packets S e n t: 1

Progress:

HelpCloseStopS ta rt

£ 0 T h e p ro g ress b ar p re sen ts an o v e rv ie w o f th e sen d in g p ro cess yo u are engaged in a t th e m o m en t.

F IG U R E 17.12 C o laso ft Packe t B u ild e r Send A H Packets

1 3 . T o export d ie p a c k e ts s e n t f r o m d ie F i le m e n u , s e le c t

F ile־Ê xp o rt־Â ll Packets.

Eth ica l Hacking and Countermeasures Copyright <0 by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited



״li י Colasר״

File Edit Send HelpImport... 1 * 0 1 a ׳ X

10 Export ► All Packets... glete

Exit ^ Selected Packets... ketNo. |_ jJ I+ T Packet: Num: 00(El••© Ethernet Type I I

^D estination Address: Source Address:

[0/14] ןFF:FF:1 00:00:( ,

F IG U R E 17.13: E x p o rt A ll Packets p o tio n

Save As x I

5a vein־ !"!:o laec-ft

f l f c l Nome D«tc modified TypeNo items match your search.

Rcccnt plocca

■Desktop

< 3Libraries

l A f f

Computer

Networkr n _______ ... [>1F1U n»m* | Fjiekct• e «cp ld v j Sav•

S»v• •c typ♦ (Colafloft Packot Rio (v6) (*.oocpkt) v | C«rc«l |

F IG U R E 17.14: Se lect a lo catio n to save the exported file

U

Packets.cscpkt

F IG U R E 17.15: C o laso ft Packe t B u ild e r exporting packet


A n a ly z e a n d d o c u m e n t d ie r e s u l ts r e la te d t o th e la b e x e rc is e .


C o l a s o f t P a c k e t

B u i l d e r

A d a p t e r U s e d : R e a l t e k P C I e F a m i l y C o n t r o l l e r

S e l e c t e d P a c k e t N a m e : A R P P a c k e t s

R e s u l t : C a p t u r e d p a c k e t s a r e s a v e d i n p a c k e t s . c s c p k t

Q O p tio n , P a ck e ts S e n t T h is sh ow s th e n u m b er o f p ack e ts se n t su ccessfu lly . C o la s o ft P a c k e t B u ild e r d isp lays th e p ack e ts sent u n su ccessfu lly , to o , i f th e re is a p ack e t n o t sen t ou t.






Q u e s t i o n s

1. A n a ly z e h o w C o la s o f t P a c k e t B u i l d e r a f f e c ts y o u r n e t w o r k t r a f f i c w h i l e

a n a ly z in g y o u r n e t w o r k .

2 . E v a lu a t e w h a t t y p e s o f in s t a n t m e s s a g e s C a p s a m o n i t o r s .

3 . D e t e r m in e w h e t h e r d ie p a c k e t b u f f e r a f f e c t s p e r f o r m a n c e . I f y e s , t h e n w h a t

s te p s d o y o u ta k e t o a v o id o r r e d u c e i t s e f f e c t o n s o f tw a r e ?


□ Y e s 0 N o


0 C l a s s r o o m 0 iL a b s




Lab

Scanning D evices in a N etw ork Using T he DudeThe Dnde automatically scans all devices within specified subnets, draws and lays out a wap of your networks, monitors services of your devices, and a/eftsyon in case some service has p roblems.


111 t h e p r e v i o u s la b y o u l e a r n e d h o w p a c k e t s c a n b e c a p t u r e d u s in g C o l a s o f t

P a c k e t B u i l d e r . A t t a c k e r s t o o c a n s n i f f c a n c a p t u r e a n d a n a ly z e p a c k e t s f r o m a

n e t w o r k a n d o b t a i n s p e c i f i c n e t w o r k i n f o r m a t i o n . T h e a t t a c k e r c a n d i s r u p t

c o m m u n i c a t i o n b e t w e e n h o s t s a n d c l ie n t s b y m o d i f y i n g s y s t e m c o n f i g u r a t i o n s ,

o r t h r o u g h t h e p h y s ic a l d e s t r u c t i o n o f t h e n e t w o r k .

A s a n e x p e r t e th ica l hacker, y o u s h o u ld b e a b le t o g a d i e r i n f o r m a t i o n 0 11

organ iza tions n e tw o rk to ch e ck fo r vu ln e ra b ilit ie s and f ix them before an a tta c k e r ge ts to com prom ise the m ach ines using those vu ln e ra b ilitie s . I f

y o u d e t e c t a n y a t t a c k t h a t h a s b e e n p e r f o r m e d 0 11 a n e t w o r k , i m m e d i a t e l y

i m p l e m e n t p r e v e n t a t i v e m e a s u r e s t o s t o p a n y a d d i t i o n a l u n a u t h o r i z e d a c c e s s .

111 t h i s l a b y o u w i l l l e a r n t o u s e T h e D u d e t o o l t o s c a n t h e d e v ic e s i n a n e t w o r k

a n d t h e t o o l w i l l a l e r t y o u i f a n y a t t a c k h a s b e e n p e r f o r m e d 0 11 t h e n e t w o r k .


T h e o b je c t i v e o f t h is la b is t o d e m o n s t r a t e h o w t o s c a n a l l d e v ic e s w i t h i n s p e c i f ie d

s u b n e ts , d r a w a n d l a y o u t a m a p o f y o u r n e t w o r k s , a n d m o n i t o r s e r v ic e s 0 11 d ie

n e t w o r k .



■ T h e D u d e is l o c a t e d a t D:\CEH-T0 0 ls\CEHv8 Module 03 Scanning N e tw orks \N e tw o rk D iscovery and Mapping Tools\The Dude

■ Y o u c a n a ls o d o w n l o a d t h e la t e s t v e r s io n o f The Dude f r o m t h e

h t t p : / / w w w . m i k r o t i k . c o m / t h e d u d e . p h p

I C O N K E Y

5 V a lu a b le

in f o r m a t io n

T e s t y o u r

k n o w le d g e

W e b e x e rc is e

W o r k b o o k r e v ie w

V—J Tools dem onstrated in th is lab are available in D:\CEH- Tools\CEHv8 Module 03 Scanning Networks



http://www.mikrotik.com


■ I f y o u d e c id e t o d o w n l o a d t h e l a t e s t v e r s io n , t h e n screensho ts s h o w n

i n t h e l a b m i g h t d i f f e r

■ A c o m p u t e r r u n n i n g W i n d o w s S e r v e r 2 0 1 2

■ D o u b le - c l i c k d ie The Dude a n d f o l l o w w i z a r d - d r iv e n in s t a l l a t i o n s te p s t o

in s t a l l The Dude

■ A d m in i s t r a t i v e p r iv i le g e s t o r u n t o o ls



O v e r v i e w o f T h e D u d e

T h e D u d e n e t w o r k m o n i t o r is a n e w a p p l i c a t io n d i a t c a n d r a m a t ic a l ly i m p r o v e d ie

w a y y o u m a n a g e y o u r n e t w o r k e n v i r o n m e n t I t w i l l a u t o m a t ic a l l y s c a n a l l d e v ic e s

w i t h i n s p e c i f ie d s u b n e ts , d r a w a n d la y o u t a m a p o f y o u r n e t w o r k s , m o n i t o r s e r v ic e s

o f y o u r d e v ic e s , a n d a le r t y o u i n c a s e s o m e s e r v ic e l ia s p r o b le m s .

L a b T a s k s

1 . L a u n c h t h e S ta rt m e n u b y h o v e r i n g t h e m o u s e c u r s o r o n t h e l o w e r - l e f t


i | Windows Server 2012

Ser*? 2012 M«a1e CandWate DitaceM*____________________________________________________________________________Ev mbonoopy Build WX:

F IG U R E 18.1: Windows Server 2012 - Desktop view

1 1 1 t h e S ta rt m e n u , t o l a u n c h The Dude, c l i c k The Dude i c o n .

S t a r t Administrator ^

Server Computer Maiwgcr Onm SS?b U * f>

~ ev - —1 י יM m n t t r . command T<xJ1 Prompi

1n»0u0f

0—l»p

%

E t a s k 1

Launch The Dude




F IG U R E 182: W in d o w s Se rve r 2012 - S ta rt m enu

3 . T h e m a in w i n d o w o f The Dude w i l l a p p e a r .

f S m m admin@localhost - The Dude 4.0beta3 ’ - l ° l X י

(§) 5references 9 Local Server H d o j j y i 2 m c * ״ mSetting* CJ

Contert* 7 1 S E 1 O * Ssttnst j Cikovot *70011 W .•־ ־.*. Lay* irk( V J□ A3<*T3S USSA Admn#

H 0 «ו«יH D*wic«»?5? Flea □ Functona

5

M Htfay Action* H Lntu □ Lc0*

£7£7 Cecusem׳& £7

- A

£7 Syslog E Notic?

- B Keftroric Maps B Lccd

t- ! U n i r t i J

[.Ca 1MU«d Cterl. w Uj« /U 334 bw« S* ״*־ ׳ x215bc*.'UM2bc«

F IG U R E 18.3: M a in w in d o w o f T h e D u d e

4 . C l i c k t h e D iscover b u t t o n o n t h e t o o l b a r o f d i e m a in w i n d o w .

---- -------------- — ■■admin@localhost - The Dude 4.0beta3 . ״1

3 E ®

x

® 5reference* 9 Local Seiver *b r h t Z

a c ׳ * IIIIJH b

Ca-ite־׳!* + -1״ o * Sottrco Dkov*־ | *Too• ?יי׳ v• .•־ |lrk* _d 2

Q Addra# list*A ׳vamro

□ 0 יו*וf־“l OmiaNf * . Ftea f=1 F_nccon8 יB Haay Action*n “*י1 □ Legs

£ ? ActJcn£7 Defcus £7 Event£7 Sjobg

R Mb No tie?- Q Network Maos

B LccdlM ׳'

| !Corrected Cfert. ix $59 bus /tx 334 bp* :«<* a215bc«<'u642bc«

F IG U R E 18.4: Se lect d iscover button

5 . T h e Device D iscovery w i n d o w a p p e a r s .




Device Discovery

DiscoverGeneral Services Device Types Advanced

CancelEnter subnet number you want to scan for devices

Scan Networks: 110.0.0.0/24

! -Agent: |P£g? P Add Networks To Auto Scan

Black List: |1

Device Name Preference: |DNS. SNMP. NETBIOS. IPDiscovery Mode: (• fast (scan by ping) C reliable (scan each service)

I I I I I I I I2 4 6 8 10 14 20 50

Recursive Hops: / ו י י ־ ר פ

F Layout Map /tfter Discovery Complete

F IG U R E 18.6: D e v ic e d iscovery w in d o w

6 . 111 t h e D e v i c e D i s c o v e r y w i n d o w , s p e c i f y Scan N e tw orks r a n g e , s e le c t

d e fa u lt f r o m d i e A gent drop-dow n l i s t , s e le c t DNS, SNMP, NETBIOS.a n d IP f r o m d i e Device Name P re ference d r o p - d o w n l i s t , a n d c l i c k

Discover.

Device Discovery

number you want to scan for

General Services Device Types Advanced

Scan Networks: (10.0.0.0/24

Agent: 5 S S H B I r Add Networks To Auto Scan

Black List: [none

3DNS. SNMP. NETBIOS. IPDevice Name PreferenceDiscovery Mode (• fast (scan by ping) C reliable (scan each service)

0Recursive Hops: [1 ]▼] /—r ר—ו—1—1—1---------------------------------------------------------------------------------------1—1—ז

2 4 6 8 10 14 20 SO

I- Layout Map /tfter Discovery Complete

F IG U R E 18.7: Se lectin g device nam e p reference

7 . O n c e t h e s c a n is c o m p le t e , a l l t h e d e v ic e s c o n n e c t e d t o a p a r t i c u l a r

n e t w o r k w i l l b e d is p la y e d .




f־ t ^tadrmn@localhost The Dude 4.0beta3

+-_ C: _e [o * | Secpy I | Dhcovef | Tooia tt 1 a s -י |l־ks ^ 209m: [1011 d Locd •fat!_ 11 ■ sSanhfla

. t •WIN.D39MR5HLSE-: AOMN

\ Iי * N. י

win ? U 't '. ic . ' . - t fs \

ז ר ב - נ ^ א ו

QyWW*IXY858KH04P

(DU I9 N tncn t 63 % vM: 27% disk 75%

rMflMMtttLCXUUl

VI1hK.K0H)1m3M

____________Ccrtemtf~l *ricteo Lata .4 Adnns

□ 2« *10 «m

d n *ס״״^־ז Map*Q Local

ק r־fcnwortc»Q NotActfont

H □ PjTriSQ adrrin 127.0,0.1

Q P t 638 5> Sennco Q T c d e

Saver r 1 ( ( 4 (>> * 3 9 t®c«Qm- ׳x ׳■325 oc« ׳ w I 95bpj

F I G U R E 1 8 .8 : O v e r v i e w o f n e t w o r k c o n n e c t i o n

8. Select a device and place d ie mouse cursor on i t to display the detailed in fo rm a tio n about d ia t device.

~*1 Zoom. [TO♦• ״ % j o StfttKujo Dwovw

t f t t e O T . JLYKSO-Ci P Wrdcvnaxnpucr‘,IP• 100 0 9MAC Ctt ■ - 10S*'42m (7VU > i1Q r«0 0 a 1C2 coj fn&nory vrtuai memoiy. cfck SjcrT!־״.ז*. vw.-’.׳-Y35am3ipCesacto- -fc*».=«e ntes« Famly G Wsdd 42 9eppng 7 M/M COUPATBU - V irc0*5 I t o ia i 6 & End6001 WipxnsrFix)Ipwue 0028־<J771

)>«• n-n■ • •:י uUCMKJP1ג4> »נוiwttdai e UU liriMMOll-

J ? * I? •#I !_•« a M■ «L'

1*•: 13: ta■ . W * .־ n m t «W ,־ -ll־r8!a.H0TP

12:40 12: X| mdiv 0 vnn-uiYKBocnP

12:3 u:aI ecu •lam 0 «■ a.'iaaeoip

CartvM5 Ad<*«3a Lota A Admr*

R Afl*rta□ Chat*Q 08 V1008 ^ PleaQ Functions□ HatovV*•*®□ Lnk*

־ □ Lcoa]J? Acton C7 Detua £ ? E w r L 7 S « b g

BMb Mod*® rielwork Maps

B local n NHwwk•2 N9Ulc4B0r•Q ParrisH•*™ 127.00.1□ P׳cN»Q> SamcasH Tocte

n .1 5 4 ttp a /fc3 3 kb c«C V t m 245 Upa/tx 197bpa

F I G U R E 1 8 .9 : D e t a i l e d i n f o r m a t i o n o f t h e d e v ic e

9. N o w , c lick the dow n arrow fo r die Local d rop-dow n lis t to see in fo rm a tion on H is to ry A c tions , Tools, F iles. Logs, and so on.

Eth ica l Hacking and Countermeasures Copyright © by EC Counc11־A ll Rights Reserved. Reproduction is Strictly Prohibited



F I G U R E 1 8 .1 0 : S e le c t in g L o c a l i n f o r m a t i o n

10. Select options fro m die d rop-dow n lis t to v iew complete in fo rm ation ._־ < ־ X ־,adm!r1@iocalha5t ־ The Dude 4.0beta3

® | | Preferences | fr Local Swar Heb •O SetBngj e• I ~

Be׳nrfl dn1£1׳*d Be׳n»nt chanjed btmrU 1l»a•׳ B1׳־r*« changed blvw'i: Jw j*0 Bf«wm changed H»w1! (.11•׳ j«0 Bemem changed b cw : changtdBemem changed Be lt# ills' jeO Berotm changed0c1׳*s׳r. da'jedBeroen: changedBc1*׳T. cha'SedB fw t changed Bwnert chanoed Berne'S changed Bwmnl chr xl Beroen! changed

AdenNttwOlk Map Ner*e«k Map fJrtocik Map Netv«ak Map fM ow k Map Httitcik Map fM ocik Map Merwak Map fjnC*«k Map tkf mcik Map NttWClk Map lJer«e(k Map r«(.«c«k Map liefMCik Map ta t« a k MaptieCMdk MapNetwak Map I jefMCik Map heCaak Map Net־*c«k Map

, M S «

130245 13024C 13024S 130; 49 1302S0 130? 5? 130254 (302 K 130258 130340 130302 1303-03 13.03.06 130348 13.03.14 1303 16 13.03.20 130322 130324 1303 27

ו u2 u3 u a u 5 U c u 7 U fi U9 u10 u ו ו u12 u13 U14 U15 U •6 U ו7 u16 U19 U20 u

Co ׳not?Q Add's** Lilt(4 יי4י1ו !

Q *s»t״U□ Owl• r*1 LVvn.•**׳ Fto*

Q I undior•□ IMay /towns M U K»

<־ □ Logs £7 A=<10n £? Debug £7Ev«rf £? Stfog

ם Mb Me**

Crr«<t«J 0*rt «9 17kbpa/|x 1 I2kbp« S«nv־ a 3?4Ktv* ■» H ?*ten

a d^nîoca lhost - The Dude 4,Obela3 ־ a *

® fafaenoee O toca s«n ־* ׳*״ ih ti rS S B S S X S A l_ ..L J U

Type, (* 3 M* f־ ־ î T ] □ יi l l lLv :c UiZ.-r'tn T׳,c«־> Mao100 a! j«-=le Local1000.12 incte Local10 0 0255 MTCfc LocalADVf, iincte LocalV/V2H9STOSG M-rle LocalWttOUMRSHL WCte LocalWHCSCI• SG1 w•*־־ LocalWIUJO0MI tncb Localw!H«5sr.c1u u-de Local

vmo LocalW K M W S8 M״| * Localw*C0w» *mcl* Local

o I GrtBfgj L‘Conterts

3 Address Usts £ AcJ-rriS

Q Ao-nlsgowns Q Devicw ׳!5 Fte»

Q Functor•Q Ktolciy Actons ם Lrk»

־1 ס 1יה״C7 AdenCf Oebuo r7Ev«4 L f S ô fl CJ Mb r*d».

S f ln 0 ־9־׳ t2 l6 rp׳- * ■* ל2׳ל4ן »?Cflrr ׳x2 91 kbpa/ tx276bf>t

F I G U R E 1 8 .1 1 : S c a n n e d n e t w o r k c o m p le t e i n f o r m a t i o n

Eth ica l Hacking and Countermeasures Copyright C by EC-CouncilA ll Rights Reserved. Reproduction is Strictly Prohibited



11. As described previously, you may select all die o ther options fro m the d rop-dow n lis t to v iew die respective in fo rm ation .

12. Once scanning is complete, c lick the bu tton to disconnect.

adm in© localhost - The Dude 4.0beta3

Fwfcwnooa 9 Local Sorvor *•to

jCtnas d ל• G' ”+ r ״ C . O k S*crgc Onoowf ״ Too* M \ *L ״.*• ,* [irkT

t> ,1 יW ikULYSSBKHQ IP WIN-D39NRSH1.91=4 ADMIN

75% tpu 2 2% IM fT t S0 % v.it 3 4% disk

י v י_ WIN-2N95T0SGIEM \ 1000

.1WM-LXQ\3\VR3!WM

R Address U8I8 £ AdnlrM□ Agert«□ Chate□ Gevcesr* =1«n F_racn8 Q History ActionsH Linlcs

= 3 Leg*C־f Acton (ZJ DcbuoEven!

O S/*log□ Mto NodooQ ISetwoifc Mips

r B - l gcjj< | 1■ j [ >

־ r ^־־ \־ T ־^ ה־רז ^ ^ל ־ר

nZ W k b w ' b 135 bps 5<?vrr r t i. 1 2 c p 5 ' t * 3 •15 *bps

FIGURE 18.12: Connection of systems in network

L a b A n a ly s isAnalyze and document die results related to die lab exercise.

T o o l /U t i l i t y In fo rm a t io n C o lle c te d /O b je c tiv e s A ch ie ve d

T h e D u d e

IP A dd ress R ange: 10.0.0.0 — 10.0.0.24

D e v ice N a m e P references: D N S , SN M P, N E T B IO S , IP

O u tp u t: L is t o f connected system, devices in N e tw o rk




PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONSRELATED TO THIS LAB.

In te rn e t C o n n e c tio n R e q u ire d

□ Yes 0 N o

P la tfo rm S upporte d

0 C lassroom 0 iLabs